Documentation of IdP security:Rule declarations? (relying-party.xml)
Ian Young
ian at iay.org.uk
Thu Aug 29 17:01:57 EDT 2013
On 29 Aug 2013, at 21:13, "Erdos, Marlena" <marlena_erdos at harvard.edu> wrote:
> Someone here at Harvard who works for our IT security group has asked for
> a line by line description and explanation of each of the security rules
> in relying-party.xml .
If there isn't an explanation in the wiki (and there probably isn't for something this low level) then reading the source (or at least the Javadoc for the associated classes) is going to be the way to gain insight. Whether that's worth doing depends on what your colleague is planning to do with the knowledge. In particular, if he's trying to assess whether this part of the configuration should be changed, the answer is almost certainly that it should not, even if you have read the source.
In short, these tend to be what one might call "mandatory defaults". They're not being exposed because we expect deployers to tweak them; they are essentially part of the source themselves. That's indicated rather indirectly in the config file because they are below the line that says "DO NOT EDIT BELOW THIS POINT". There's a line of argument that says that settings like this ought never to be in the same files as user configuration, and I think the plan is to go more in that direction in V3.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130829/2edc0575/attachment.bin
More information about the users
mailing list