Configuring <md:EntityDescriptor> ID attribute
Ian Young
ian at iay.org.uk
Mon Feb 4 05:47:25 EST 2013
On 4 Feb 2013, at 10:29, Peter Schober <peter.schober at univie.ac.at> wrote:
> I don't think the ID on an invidual entity will cause problems when
> being part of an EntitiesDescriptor (with a different ID).
Usually true, but the ID attributes on EntityDescriptor and EntitiesDescriptor are both "ID" type in the schema, which means that they have to be unique values across *all items of ID type* in the document. Duplication in any context would mean the document would fail schema validation.
Having said which:
* anyone doing aggregation of any kind (including a federation accepting individual registrations) should know this and strip all incoming IDs to avoid the obvious denial of service attack,
* the auto-generated metadata doesn't have an ID that looks like ID="_c0045678aa1b1e04e85d412f428ea95d2f627255" for no reason; duplication is improbable, to say the least.
The main reason the auto-generated metadata has an ID at all is to hang a signature on.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130204/87be5987/attachment-0001.bin
More information about the users
mailing list