Updating Generated IdP metadata?

David Gersic dgersic at niu.edu
Fri Jan 6 20:49:13 GMT 2012

>>> On 1/6/2012 at 02:37 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote: 
> On 1/6/12 3:17 PM, "David Gersic" <dgersic at niu.edu> wrote:
>>which I believe I need to do, but this document doesn't say how to do so.
>>How, exactly, does one go about updating the generated IdP metadata?
> The metadata consumed by the IdP about itself from that local file isn't
> significant outside of a few edge cases, what generally matters is what
> you provide externally. The file on disk happens to be used to serve the
> file via a URL, but as with the SP generator, that's not meant as part of
> a production trust exchange.

Right now, I'm using testshib.org. Eventually, incommon.org is my goal, but testshib.org is faster for testing.

In the IdP metadata (idp-metadata.xml), the URLs are wrong. If that's one of the "edge cases", then I've hit one.

> There is no abstraction in Shibboleth with metadata. You have to deal with
> it directly, consuming and producing it. The specifics depend on your
> trust model and federated arrangements. If you're looking for some kind of
> aid, there isn't one. It's XML, and the metadata is standard SAML metadata
> as profiled by the various specifications we document on our technical
> specs page.

So it's safe to just edit the idp-metadata.xml file to correct the URLs in it? If so, yeah, no problem, I can do that. It wasn't clear from the docs whether this was the correct way to update this, or if there was some other process or procedure to follow.

> As a general matter, you don't just edit some file somewhere. There has to
> be a metadata exchange. How that happens is very deployment specific. If
> (being a .edu) you're using InCommon, then the web interface it offers is
> how metadata gets modified.

It looks to me like testshib.org is picking up the contents of the idp-metadata.xml file when I add the IdP to their configuration. Using the "edit xml" there is where I spotted the incorrect URLs in the first place, which led me to looking for where they were coming from.

More information about the users mailing list