no metadata for the SP
Tom Scavo
trscavo at gmail.com
Sun Nov 23 10:19:54 EST 2014
On Fri, Nov 21, 2014 at 3:15 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 11/21/14, 7:37 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>
>>When the IdP receives an AuthnRequest at a SingleSignOnService
>>endpoint, the IdP consults metadata before interacting with the user.
>>AFAIK, if the IdP lacks metadata for the SP, the transaction fails
>>outright, without even presenting the login interface to the user. In
>>this case, the user is stranded at the IdP, with no chance for either
>>party to recover.
>
> Sending them back to the SP presumes the much less common scenario that
> the SP is willing to handle errors. I realize that some do, but there are
> far more that never would, so I could never allow that happen as an IdP
> operator. I can't know which ones will. So it's not really a solvable
> problem.
>
>>My question is: Can the IdP be configured to respond with a SAML error
>>if there is no metadata for the SP? If so, how?
>
> Not in V2, and not in V3 I don't think.
Okay, let me turn this around and focus on the SP for a moment. Does
the following metadata config at the SP mean what I think it means?
<MetadataProvider type="Chaining" precedence="first">
<MetadataProvider type="XML" ... />
<MetadataProvider type="Dynamic" ... />
</MetadataProvider>
In other words, the SP is provisioned with an aggregate, which it
checks first. If it finds the metadata it's looking for, it uses that,
otherwise it calls out dynamically to a query server.
If that is how the Chaining MetadataProvider actually works, let me
ask: will IdP 3 support such a configuration?
Thanks,
Tom
More information about the users
mailing list