AAF logo

Metadata Sources

The AAF publishes 3 metadata documents:

  1. https://md.aaf.edu.au/aaf-metadata.xml
    Containing IdP and SP which have been approved to participate in the AAF.
  2. https://md.aaf.edu.au/aaf-edugain-metadata.xml
    Containing IdP and SP from the global eduGAIN metadata source which have been approved for consumption by AAF subscribers.
  3. https://md.aaf.edu.au/aaf-edugain-export-metadata.xml
    Containing AAF subscribed IdP and SP which have been approved for publishing to the global eduGAIN metadata source.

The AAF also provides MDQ endpoints for use:

  1. https://md.aaf.edu.au/mdq/aaf/
    Containing IdP and SP which have been approved to participate in the AAF.
  2. https://md.aaf.edu.au/mdq/aaf_and_edugain/
    As above, and also containing IdP and SP from the global eduGAIN metadata source which have been approved for consumption by AAF subscribers.

Metadata documents and MDQ endpoints are only accessible by https request. Our metadata endpoints automatically redirect http requests.

Signatures

The AAF signs all metadata. Subscribers MUST use the public key available at https://md.aaf.edu.au/aaf-metadata-certificate.pem to verify metadata documents whenever they are retrieved.

To confirm that you have obtained the correct key ensure the file you have downloaded conforms to the following:

         $> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem

         subject= /O=Australian Access Federation/CN=AAF Metadata
         notBefore=Nov 24 04:27:20 2015 GMT
         notAfter=Dec  9 04:27:20 2035 GMT
         SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A
     

MDQ caveats

The AAF's MDQ endpoints largely conform to the Metadata Query Protocol specifications, with a few deviations documented below.

Deviations

Base Protocol 3.2.2: Request All Entities

According to the specification, the responder should respond to a request to /entities with all the entities it knows about. Instead, it responds 404 Not Found. This is for cost optimisation purposes, as serving large MD responses is expensive.

Base Protocol 4.3: Content Compression

According to the specification, the responder should support gzip compression. It does not. We aim to support gzip in the future.

SAML Profile 2.2.2: Transformed Identifier

According to the specification, the responder should accept sha1-transformed entity IDs. For example, a request for {sha1}11d72e8cf351eb6c75c721e838f469677ab41bdb should be treated as a request for http://example.org/service. Instead, all requests involving sha-1 return 404 Not Found. This is for cost optimisation purposes.



Even where the AAF's endpoints accept noncompliant requests, subscribers SHOULD aim to conform fully to the specifications. Noncompliant requests which are accepted today may be rejected tomorrow.