Using Metadata in my App

Peter Schober peter.schober at univie.ac.at
Tue Mar 26 09:08:05 EDT 2013


* Andy Bennett <andyjpb at knodium.com> [2013-03-26 13:27]:
> >> What I'd really like to do is to prepopulate the IdP data in my
> >> app so that I have an App object for hanging other data off of
> >> such as "This IdP and these eMail domains identify users as
> >> belonging to this institution", "this is the
> >> name/logo/description of this institution" (for cases where it's
> >> not supplied by the IdP) and "these are App objects for users of
> >> this institution". i.e. data that I obtain through other sources.
> > 
> > The software doesn't keep you from doing any of that. Unless the
> > data is available to it in a standardized way (i.e., SAML
> > metadata) it won't make it magically appear, either.
> 
> So do I have to grovel for the Metadata files manually? The way I
> see it, the downloading and management of those Metadata files is
> the responsibility of the Shibboleth software so if I want to access
> them then I should be careful to do it in the way the software
> expects.

If the data you wanted were in the metadata you could use Shibboleth
to extract it, in the way the documentation (and my email) describes
it.
If it's not available the software won't be able to help you.
(No surprise here.)

Seems in most of the cases you're interested in you'll find elements
in SAML metadata that might seem usable, but probably shouldn't be
used as it is there for differing purposes, with different semantics
and might produce false positives (and certainly false negatives).

E.g. many institutions will have similar or the same strings (DNS
domains) listed in the shibmd:Scope element in SAML metadata as they
will accept email in. Still SAML metadata says nothing about email
domains. As such you probably shouldn't rely on the Scope from
metadata to assert membership with the institution the IdP is being
run for (I suppose the use-case is mapping subjects who registered for
your site with an institutional email address to an
institution?). Some Metadata TOUs might even forbid any other
"creative" uses of the data provided, fyi.

Same with the relationship of institutions and SAML IdPs (and maybe
legal entities). In most cases this will be 1:1 and rather stable.
Still there will be cases where this is not the case (as Tom pointed
out). Personally I find this less problematic than the email use case
above.

The other things seem to have less potential for misuse, IMHO, but
probably aren't available in the numbers you'd need in order to rely
on them (e.g. only about 1/4 of the institutions in the UKFAM have a
logo present, from a quick look, which is rather high, btw.)

> Is just "somehow" finding out the locations of those files and then
> reading them directly a legitimate thing to do? Do I have to
> manually handle the detection of when they become updated?

Those "files" are backup copies of remote metadata documents
configured into your software. The fact that backup copies exist have
internal operational reasons for the software and should be of no
concern for you. Personally I wouldn't base my own processing on these
files but then you'd also take on the responsibility to regularly
refresh and update metadata yourself.
But I have the impression we've established that SAML metadata isn't
really usable for any of the cases that go beyond what the
AttributeExtractor already offers.
-peter


More information about the users mailing list