Application Stages and Metadata Generation
Jonathan Champ
jonathan_champ at ncsu.edu
Tue Nov 8 22:17:03 GMT 2011
On 11/08/2011 10:19 AM, Tom Scavo wrote:
> Some comments:
>
> - You can remove "urn:oasis:names:tc:SAML:1.0:protocol" since it is
> mutually exclusive with "urn:oasis:names:tc:SAML:1.1:protocol".
>
> - You can remove <ds:KeyName> and <ds:X509SubjectName> elements.
>
> - I only know of one IdP implementation (not Shib) that will consume
> an artifact, so you can probably remove the
> <md:ArtifactResolutionService> element.
>
> - Same comment for the <md:SingleLogoutService> elements.
>
> Hope this helps,
> Tom
Realizing that all of these items were not usually necessary helped a
lot in identifying what really was necessary. Did some more searching
and found a discussion about the RequestInitiator in the Shib Users
archive where Scott confirms my suspicions that the Metadata handler
*should never be used directly* and is a testing tool to assist in the
initial production of sample metadata. All of the items you mentioned
removing are not generated by the metagen.sh file if run as follows:
sh metagen.sh -12A -c sp-cert.pem -h myapp.example.com -e
https://myapp.example.com/shibboleth
On 11/08/2011 12:02 PM, Cantor, Scott wrote:
> I suspect there are examples in the federation metadata scattered
> around various countries, such as InCommon's.
This was very helpful as well. I had not expected so many actual
production examples to be sitting there available. The one that stood
out was https://review.ap.uci.edu/shibboleth-sp which had 5 stages for
their application.
I believe my problem is solved.
Thank you,
Jonathan Champ
More information about the users
mailing list