Application Stages and Metadata Generation

Cantor, Scott cantor.2 at
Tue Nov 8 01:12:40 GMT 2011

On 11/7/11 5:03 PM, "Jonathan Champ" <jonathan_champ at> wrote:
>The issue that I don't know how to solve is what I should send to the
>IdP. My original plan was to group it by logical application such that
>the Metadata for the entityID would
>have the ACS endpoints for,
> and Then,
>I would have a second EntityDescriptor for the hostedapps* hosts.

That's a fairly typical approach.

>Is this possible?


> It seems like this would be the recommended behavior,
>so that the IdP Metadata doesn't gain an entity for each stage of each
>logical application.

There is no "recommended" approach because it's not a technical question,
it's policy and organization of systems and policies pertaining to them.
Even if you do this, it doesn't answer questions like whether to share
credentials or not. This is art, not science. If you want it to be a
science, then you'd use a separate entityID and keypair for every vhost.
Anything else is subjective by nature. Some approaches would seem more
sensible than others, but there's not going to be universal agreement.

>Please let me know what is recommended as none of the examples I found
>on the Shibboleth 2.x wiki provided any example of the way to implement
>the given requirement: "Note that each virtual host (combination of
>scheme, hostname, and port) operating within a particular SP MUST have
>its own set of endpoints expressed in the metadata."

I don't know what you're looking for exactly, but your statement above
suggests you understood the requirement.

So, what's your question?

-- Scott

More information about the users mailing list