The Shibboleth Identity Provider has a variety of admin APIs
that are frequently overlooked. For many administrators the only time they
access the admin APIs is when using some of the tools bundled with the IdP, such as
mdquery, which can
sometimes be fiddly to use even on the same server as the IdP. Shin aims to offer the same functionality as the
bundled admin scripts but as an Elixir library suitable for use in scripts and web services.
The admin APIs of the Shibboleth IdP allow you to:
- Look up the attributes that will be released to user for a particular user: this is incredibly useful when configuring
or debugging attribute release filters and attributes.
- Fetch metadata for SPs from the IdP itself - handy to check that the correct version is being used, or to warm metadata caches.
- Get live status metrics on things like RAM usage, number of logins, Java versions and even custom stats
- Lock out abusive users, or remove locks.
- Restart individual components (services) within the IdP without restarting the entire IdP - incredibly useful when making changes while avoiding a service outage.
Mimoto will be using Shin in some new products planned for next year but it’s easy to use in small scripts too - there’s an example in the Github repository.
We’ve included a Livebook of example code so you can easily try Shin with your own Shibboleth service:
(You can get Livebook here)