Application Stages and Metadata Generation

Jonathan Champ jonathan_champ at
Tue Nov 8 14:18:09 GMT 2011

On 11/07/2011 08:12 PM, Cantor, Scott wrote:
> On 11/7/11 5:03 PM, "Jonathan Champ" wrote:
>> The issue that I don't know how to solve is what I should send to the
>> IdP. My original plan was to group it by logical application such that
>> the Metadata for the entityID would
>> have the ACS endpoints for,
>> and Then,
>> I would have a second EntityDescriptor for the hostedapps* hosts.
> That's a fairly typical approach.
>> Is this possible?
> Yes.
>> It seems like this would be the recommended behavior,
>> so that the IdP Metadata doesn't gain an entity for each stage of each
>> logical application.
> There is no "recommended" approach because it's not a technical question,
> it's policy and organization of systems and policies pertaining to them.
> Even if you do this, it doesn't answer questions like whether to share
> credentials or not. This is art, not science. If you want it to be a
> science, then you'd use a separate entityID and keypair for every vhost.
> Anything else is subjective by nature. Some approaches would seem more
> sensible than others, but there's not going to be universal agreement.
>> Please let me know what is recommended as none of the examples I found
>> on the Shibboleth 2.x wiki provided any example of the way to implement
>> the given requirement: "Note that each virtual host (combination of
>> scheme, hostname, and port) operating within a particular SP MUST have
>> its own set of endpoints expressed in the metadata."
> I don't know what you're looking for exactly, but your statement above
> suggests you understood the requirement.
> So, what's your question?

My questions are: What does a correct example of SP Metadata look like
for the situation I described? Is the only way to generate the correct
metadata by hand or is there a way to describe the multi-stage situation
in the /etc/shibboleth configuration files?

I started with the Shibboleth.sso/Metadata xml and duplicated the
AssertionConsumerService definitions, replacing
with in the duplicates and then renumbered them
from 0-5 to 6-11 so that they would all have unique indices. The
remaining instances of are in the
RequestInitiator, ArtifactResolutionService and SingleLogoutService
definitions. Only the ArtifactResolutionService has an index, but should
I duplicate all of those rows to create a
equivalent? How does the IdP know which pieces of this information
should be given attention? Does it only use the SP Metadata as a
whitelist of possible input values and is not responsible for choosing
which endpoint to contact on the SP?

Current status:

Thank you,

Jonathan Champ

More information about the users mailing list