metadata generation

Cantor, Scott cantor.2 at osu.edu
Fri Jun 20 14:58:44 EDT 2014


On 6/20/14, 2:54 PM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>
>For the other way round, SPs will need to get a trustworthy copy of
>your IDP's metadata. As an IDP's metadata doesn't really change
>(modulo a key rollover every couple of years, if deemed necessary) you
>probably can get by without signing that, since whether you distribute
>an unsigned metadata file over a secure channel (once) or whether you
>distribute the signing key over a secure channel (and then signed
>metadata via whatever method, including plain http) seems not to make
>much difference.

It really depends on the relationships and communication channels for
dealing with key revocation. Signing and frequently expiring the metadata
lets you limit that exposure window. It also allows for changing endpoints
or profile support at the IdP without having to touch every SP. Again,
depending on the number of SPs and their willingness to make changes.
Since that latter number is usually quite low, being able to automate
those changes with the metadata is quite valuable.

-- Scott




More information about the users mailing list