Application Stages and Metadata Generation

Jonathan Champ jonathan_champ at
Tue Nov 8 22:17:03 GMT 2011

On 11/08/2011 10:19 AM, Tom Scavo wrote:
> Some comments:
> - You can remove "urn:oasis:names:tc:SAML:1.0:protocol" since it is
> mutually exclusive with "urn:oasis:names:tc:SAML:1.1:protocol".
> - You can remove <ds:KeyName> and <ds:X509SubjectName> elements.
> - I only know of one IdP implementation (not Shib) that will consume
> an artifact, so you can probably remove the
> <md:ArtifactResolutionService> element.
> - Same comment for the <md:SingleLogoutService> elements.
> Hope this helps,
> Tom

Realizing that all of these items were not usually necessary helped a
lot in identifying what really was necessary. Did some more searching
and found a discussion about the RequestInitiator in the Shib Users
archive where Scott confirms my suspicions that the Metadata handler
*should never be used directly* and is a testing tool to assist in the
initial production of sample metadata. All of the items you mentioned
removing are not generated by the file if run as follows:

sh -12A -c sp-cert.pem -h -e

On 11/08/2011 12:02 PM, Cantor, Scott wrote:
> I suspect there are examples in the federation metadata scattered
> around various countries, such as InCommon's.

This was very helpful as well. I had not expected so many actual
production examples to be sitting there available. The one that stood
out was which had 5 stages for
their application.

I believe my problem is solved.

Thank you,

Jonathan Champ

More information about the users mailing list