| | 34 | Import the CA certificate, per https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass with the following command that MUST be run by root (to write the cacerts file): |
| | 35 | {{{ |
| | 36 | |
| | 37 | keytool -import -trustcacerts -alias "sensible-name-for-ca" |
| | 38 | -file directory.crt -keystore $JAVA_HOME/lib/security/cacerts |
| | 39 | }}} |
| | 40 | |
| | 41 | ==== !DataConnector Failover ==== |
| | 42 | If the data connector encounters an error when trying to retrieve attribute information from the database, one or more failover data connectors can be defined. These connectors are only invoked if this data connector fails (not if simply finds no results) and they are invoked in the order they are listed until one succeeds. |
| | 43 | |
| | 44 | N.B.: if the !DataConnector as a whole fails, UA experience has been that the attribute resolution process aborts and the SAML assertion has no attributes. A possible more robust solution is to define a failover "static data connector" that will return no attributes or static-value attributes, bu not abort the attribute resolver. |
| | 45 | |
| | 46 | Failover connectors are defined by the <resolver:FailoverDataConnector> element with a ref attribute whose value is the unique ID of the data connector to use in the event that this one fails. |
| | 47 | |
| | 48 | Basic Relational Database Data Connector Definition with Dependencies |
| | 49 | {{{ |
| | 50 | <resolver:DataConnector xsi:type="dc:RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc" |
| | 51 | id="UNIQUE_ID"> |
| | 52 | |
| | 53 | <resolver:Dependency ref="DEFINITION_ID_1" /> |
| | 54 | <resolver:Dependency ref="DEFINITION_ID_2" /> |
| | 55 | <resolver:Dependency ref="CONNECTOR_ID_3" /> |
| | 56 | <resolver:Dependency ref="CONNECTOR_ID_4" /> |
| | 57 | |
| | 58 | <resolver:FailoverDataConnector ref="CONNECTOR_ID_1" /> |
| | 59 | |
| | 60 | <!-- Remaining configuration from the next steps goes here --> |
| | 61 | |
| | 62 | </resolver:DataConnector> |
| | 63 | }}} |
