ANSWERED: Re: Should/Can SPs in multiple fed. metadata files use the same entityid for both?

Chris Phillips Chris.Phillips at canarie.ca
Thu Aug 18 22:30:04 BST 2011 

Thanks Scott, that covers the bases.

Chris.

On 11-08-18 4:11 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

>On 8/18/11 4:03 PM, "Chris Phillips" <Chris.Phillips at canarie.ca> wrote:
>>
>>Checked out the archives and poked around the shib wiki and to me it
>>looks like an SP that belongs to more than one federation should use the
>>Chaining MetadataProvider configuration[1] to have both federations
>>metadata available to the SP for evaluation.
>
>The Chaining is optional now, you can put more than one into the file
>regardless, but yes.
>
>>The question I have is:
>>Can the SP  be present with the same entityID in two (or more)  metadata
>>files from different federations provided the entityID record contents
>>are identical and used in the identical fashion?
>
>The SP never uses its own metadata, under any circumstances.
>
>>"While there is some limited capability for controlling the handling of
>>duplicate entities, it is explicitly NOT supported for a single entityID
>>to appear more than once with the same valid role, and the software will
>>NOT behave predictably in such a case. In other words, if the same entity
>>supports a given role, its metadata MUST be identical in all chained
>>sources."
>
>It's referring to IdPs.
>
>>Can someone chime in on what an SP provider should do with their metadata
>>to be included in multiple federations and if the Chaining
>>Metadataprovider is not the right way, what is the right way?
>
>Essentially, it's irrelevant to the SP (software) how its metadata is
>handled. Where it gets very ugly is when you start using different names
>with different partners, choosing different keys, etc. Then you better
>know exactly how the metadata differs across federations, but you still
>don't provide that metadata to the SP itself (or it's ignored when you
>do).
>
>>Should it be a different entityID per federation metadata file?
>
>Very bad idea.
>
>>Can it be the same entityID for all federation metadata files?
>
>Much better idea.
>
>-- Scott
>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net

More information about the users mailing list