Application Stages and Metadata Generation
jonathan_champ at ncsu.edu
Tue Nov 8 22:17:03 GMT 2011
On 11/08/2011 10:19 AM, Tom Scavo wrote:
> Some comments:
> - You can remove "urn:oasis:names:tc:SAML:1.0:protocol" since it is
> mutually exclusive with "urn:oasis:names:tc:SAML:1.1:protocol".
> - You can remove <ds:KeyName> and <ds:X509SubjectName> elements.
> - I only know of one IdP implementation (not Shib) that will consume
> an artifact, so you can probably remove the
> <md:ArtifactResolutionService> element.
> - Same comment for the <md:SingleLogoutService> elements.
> Hope this helps,
Realizing that all of these items were not usually necessary helped a
lot in identifying what really was necessary. Did some more searching
and found a discussion about the RequestInitiator in the Shib Users
archive where Scott confirms my suspicions that the Metadata handler
*should never be used directly* and is a testing tool to assist in the
initial production of sample metadata. All of the items you mentioned
removing are not generated by the metagen.sh file if run as follows:
sh metagen.sh -12A -c sp-cert.pem -h myapp.example.com -e
On 11/08/2011 12:02 PM, Cantor, Scott wrote:
> I suspect there are examples in the federation metadata scattered
> around various countries, such as InCommon's.
This was very helpful as well. I had not expected so many actual
production examples to be sitting there available. The one that stood
out was https://review.ap.uci.edu/shibboleth-sp which had 5 stages for
I believe my problem is solved.
More information about the users