ESOE Metadata Processor Design

Enterprise Sign On Engine Technical Architecture
Written by Bradley Beddoes
September 2006

Architecture design by Bradley Beddoes
Incorporates SAML 2.0, and (L)XACML 2.0 OASIS standards

Contributions by:
Shaun Mangelsdorf
Andre Zitelli

Edited by:
Bradley Beddoes
Shaun Mangelsdorf
Andre Zitelli

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119

Metadata Processor

Component Lead Shaun Mangelsdorf
Package com.qut.middleware.esoe.metadata.impl.\*
Type MetadataImpl
Implemented Interfaces com.qut.middleware.esoe.metadata.Metadata
Exceptions InvalidMetadataEndpointException, InvalidMetadataKeyException

The Metadata processor is used internally by the wider ESOE to obtain details about SPEP's that are stored in metadata, specifically information such as the public key they have used to sign SAML documents and locations of endpoints which are specified in requests.

Metadata retrieval thread

On initalization this component will launch a thread, this thread MUST continuously stay active until the shutdown of the system. Should it fail in some way it MUST be automatically recovered by the system.

When executed this thread will connect to the Metadata provider offered by the [administrator management system|Administrator Management System Design]. The document will be parsed and stored locally in com.qut.middleware.esoe.metadata.Metadata.cache. Before writing to the cache an exclusive lock MUST be obtained. Once it is updated this lock MUST be released.

A hash of the retrieved document should be taken and stored as com.qut.middleware.esoe.metadata.Metadata.currentRevision.

This thread MUST execute at configured intervals (default 120 seconds), a hash of the document should be taken and compared against com.qut.middleware.esoe.metadata.Metadata.currentRevision, if the values are equivalent no further action is to be taken and the thread should sleep. If they are not equivalent the document MUST be parsed and stored locally in com.qut.middleware.esoe.metadata.Metadata.cache. Before writing to the cache an exclusive lock MUST be obtained. Once it is updated this lock MUST be released. A hash of the retrieved document should be taken and stored as com.qut.middleware.esoe.metadata.Metadata.currentRevision.

Endpoint Resolver

The following are available to resolve an endpoint:

com.qut.middleware.esoe.metadata.Metadata.resolveAssertionConsumerService

Requests to this method must supply the descriptorID and ID of the index which they are interested in. The metadata component will verify these values against its local cache and return the appropriate value of the attribute Location. (See SAML <md:indexedendpoint>)

Should the supplied values not be resolveable from the cache the exception com.qut.middleware.esoe.spep.exception.InvalidMetadataEndpointException SHOULD be populated and thrown.

com.qut.middleware.esoe.metadata.Metadata.resolveSingleLogoutService

Requests to this method must supply the descriptorID which they are interested in. The metadata component will verify these values against its local cache and return a vector containing all the appropriate values of the attribute Location. (See SAML <md:endpoint>)

Should the supplied values not be resolveable from the cache the exception com.qut.middleware.esoe.spep.exception.InvalidMetadataEndpointException SHOULD be populated and thrown.

com.qut.middleware.esoe.metadata.Metadata.resolveCacheClearService

Requests to this method must supply the descriptorID which they are interested in. The metadata component will verify these values against its local cache and return a vector containing all the appropriate values of the attribute Location. (See SAML <md:endpoint>)

Should the supplied values not be resolveable from the cache the exception com.qut.middleware.esoe.spep.exception.InvalidMetadataEndpointException SHOULD be populated and thrown.

Key Resolver

The key resolver makes available the keys for validating signatures (and in the future decryption):

com.qut.middleware.esoe.metadata.Metadata.obtainSigningKey

Requests to this method must supply the descriptorID and keyName of the descriptor they are interested in. The metadata component will verify these value against local cache. For the located <KeyDescriptor> the value of use will be evaluated if it is either not present or set to 'signing' the value of <ds:KeyInfo> / <KeyValue> will be returned to the caller.

Should the supplied values not be resolveable from the cache the exception com.qut.middleware.esoe.spep.exception.InvalidMetadataKeyException SHOULD be populated and thrown.

Also available in: HTML TXT