documentation regarding ApplicationOverrides and metadata generator

Cantor, Scott cantor.2 at
Mon Aug 20 19:43:39 EDT 2012

On 8/20/12 6:49 PM, "csross" <cross at> wrote:

>I have multiple v2.4.3 SPs and each defined in an ApplicationOverride and
>vhost and I am able to bring up metadata for each SP.  The documentation
>indicates this below but it doesn't say what will be wrong or missing.

Lots of advanced features, policy flags, keys during credential rollovers
(you CANNOT safely migrate keys using only generated metadata), contact
information, new extensions. Many, many things. None of that has anything
to do with overrides particularly.

The point about overrides is that by definition a request to a handler is
talking to one application, period, and so by definition you can't be
incorporating input coming from the others, whatever that input is. There
is no way to answer the specific question unless the purpose of the
overrides is made clear.

>One of the SPs was originally the only one (v2.2) so it was defined as the
>ApplicationDefault and the metadata  looks very similar.  After upgrading
>and switching to ApplicationOverrides, I generated the metadata in the
>way ( and sent it to the IDP
>admin.  The IDP is shibboleth and the admin said it looked fine.  The site
>is working too.

That's usually a sign the override isn't/wasn't needed.

>NOTE:  In the metadata when 1 SP as ApplicationDefault was used, the X509
>certificate is different, there is an extra certificate md:KeyDescriptor
>use="signing" and there are these lines

That's not because of the overrides, that's a question of configuration
differences and version differences. You do not need and should not
advertise NameID management endpoints. If you don't know what they do, you
don't have them. That goes for essentially everything in the metadata.

As a starting point, you should be able to understand the differences. If
you can't do that, I would strongly urge that you read the specification.
There's no other advice I can give but to do that. There's no book to
read, or I would give you a link to it.

-- Scott

More information about the users mailing list