Metadata, entitydescriptor, id attribute
Cantor, Scott
cantor.2 at osu.edu
Sun Sep 22 15:10:24 EDT 2013
On 9/22/13 2:07 PM, "Steven Carmody" <steven_carmody at brown.edu> wrote:
>
>The entitydescriptor element has an optional attribute called id. The
>value, when present, is a big long opaque string with constraints on the
>value of the first character.
No, it's an XML ID. That's the only constraint.
> In our campus metadata file some entities have this value; others don't.
>Xmlsectool, when validating, requires that any values that are present be
>unique.
XML IDs are unique by definition within an instance or the document isn't
valid.
>My question is -- what value does this attribute provide ? Which
>component uses it ? How might we use it ?
When signing, it MUST be present on whatever element is being signed, and
MUST be used within the Reference URI of the signature. Supporting whole
document references, and omitting the root element ID is a legacy behavior
that is technically not valid SAML, but is widely used and implemented
because the failure mode when it's done is to accidentally invalidate
signatures on occasion rather than make them vulnerable.
>I believe that the entitiesdescriptor element also has this optional
>attribute. In that case, tho, I believe the id attribute is useful when
>xmlsectool is signing a file.
It's the same.
-- Scott
More information about the users
mailing list