| metadata-aggregate-protocol-retrieval-02 | C.L. La Joie |
| July 8, 2009 | SWITCH |
Metadata Aggregate Protocol - Retrieval
metadata-aggregate-protocol-retrieval-02
This document defines a set of protocol request/response pairs used to retrieve entity metadata from a metadata aggregation service.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119] .
This set of messages is defined to support the retrieval of entity metadata from a responder.
Each retrieval request is performed by issuing an HTTP GET request to a particular URL. Such URLs are required to have a particular path. A base URL proceeds this path. Such a base URL MUST contain at least the scheme and host name components. It MAY also include a port as well as a path. It MUST NOT include any fragments. If a path is included the path required by the particular retrieval request is appended to path in the base URL.
The following protocol messages use identifiers to reference metadata for single entities as well as collections of entities. The assignment of such identifiers to a particular metadata document (whether it represents a single entity or a collection of them) is the responsibility of the metadata aggregator. An identifier MUST correspond to, at most, one unique document. However, a single unique document MAY have more than one identifier. If a metadata document already contains a well known identifier it is RECOMMENDED that the metadata aggregator uses such natural identifiers unless doing so would cause a collision with an existing entry.
Some protocols employ a transformed version of the ID. This may be done to reduce the overall size of the identifier, escape special characters, obfuscate the identifier, or for various other reasons. A metadata aggregator servicing such protocol MAY identify these IDs by prepending the string '{' + transformation indicator + '}' to the transformed identifier, thus forming a new, unique, identifier. For example, the identifier
http://example.org/service
transformed by means of MD5 hashing would become
{md5}f3678248a29ab8e8e5b1b00bee4060e0 The transformation indicator MUST be composed exclusively of printable ASCII character (0x21-0x7E) excluding '{' (0x7B) and '}'(0x7D). Such an identifier need only make sense in the context of the protocol which it is used. As hashing is a common transformation it is RECOMMENDED that the identifiers 'md5', 'sha1', 'sha256', and 'sha512' be used when those hashing functions are employed as the transformation method.
This protocol message is used to retrieve a metadata document describing a single entity.
A Unique Metadata Retrieval Request is performed by issuing an HTTP GET request. All Single-Entity Metadata Retrieval requests MUST use the URL format:
<base_url>/entity/{id} where the ID uniquely identifies an entity metadata document. The ID MUST be properly URL encoded.
The response to a Unique Metadata Retrieval request MUST be a document that provides metadata for one, singular, entity. In the event that no metadata is registered for the given ID an HTTP 404 (resource not found) status code is returned.
GET /service/entity/http%3A%2F%2Fexample.org%2Fidp HTTP/1.1
Host: metadata.example.org
Accept: application/samlmetadata+xml
Accept-encoding: deflate, gzip
Figure 1: Example Unique Metadata Retrieval Request
HTTP/1.x 200 OK
Content-Type: application/samlmetadata+xml
ETag: abcdefg
Content-Length: 1234
<EntityDescriptor entityID="http://example.org/idp">
.....
Figure 2: Example Unique Metadata Retrieval Response
This protocol message is used to retrieve a metadata document describing a collection of entities. The meaning of such a collection is out of scope for this document. Such collections may, for example, represent all entities participating in a particular community.
A Metadata Collection Retrieval Request is performed by issuing an HTTP GET request. All Metadata Collection Retrieval requests MUST use the URL format:
<base_url>/entity-collection/{id} where the ID uniquely identifies a the metadata of a collection of entities. The ID MUST be properly URL encoded. The collection name '@all' MUST correspond to the complete collection of metadata that the requester is entitled to view. All other IDs beginning with the at symbol ('@') are reserved.
The response to a Metadata Collection Retrieval request MUST be a document that describes a collection of entities. In the event that no collection is registered for the given ID an HTTP 404 (resource not found) status code is returned. In the event that the collection exists, but is empty, an HTTP status code of 200 should be returned with an empty body.
GET /service/entity-collection/euentities HTTP/1.1
Host: metadata.example.org
Accept: application/samlmetadata+xml
Accept-encoding: deflate, gzip
Figure 3: Example Unique Metadata Retrieval Request
HTTP/1.x 200 OK
Content-Type: application/samlmetadata+xml
ETag: abcdefg
Content-Length: 1234
<EntitiesDescriptor>
.....
Figure 4: Example Unique Metadata Retrieval Response
The following query parameter MAY be used with either retrieval message:
A responder MUST support HTTP version 1.1 [HTTP11] .
The following HTTP Headers are of special interest to retrieval requests:
The following HTTP headers are of special interest to retrieval responses:
All responders MUST support the gzip content encoding.
The responder MUST support HTTP basic authentication and SHOULD support X.509 mutual TLS authentication.
Techniques for the efficient retrieval and caching of information helps improve performance and decrease load on various resources. It is RECOMMENDED that requesters support gzip compress content type encoding in order to reduce load on the network. In addition it is RECOMMENDED that requesters cache retrieval results and use conditional queries, based on the ETag when they query for updates.
While a requester may provide a claimed identity by means of the 'requester' query parameter a responder SHOULD NOT trust this unless it can be verified through some authentication mechanism. Once the identity of the requester is established the responder MAY apply access control policies to determine whether a particular request is allowed to access the requested metadata.
As metadata often contains information necessary for the secure operation of interacting services it is RECOMMENDED that some form of content integrity checking be performed. This may include the use of SSL/TLS at the transport layer, digital signatures present within the metadata document, or any other such mechanism.
| [HTTP11] | UC Irvine, Compaq/W3C, Compaq, W3C/MIT, Xerox, Microsoft, and W3C/MIT, “Hypertext Transfer Protocol -- HTTP/1.1”, June 1999, <http://www.w3.org/Protocols/rfc2616/rfc2616.html>. |
| [RFC2119] | Harvard University, “Key words for use in RFCs to Indicate Requirement Levels”, March 1997, <http://tools.ietf.org/html/rfc2119>. |
| [SAMLMD] | Internet2, Sigaba, RSA Security, and Sun Microsystems, “Metadata for the OASIS Security Assertion Markup Language”, March 2005, <http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf>. |