no metadata for the SP

Tom Scavo trscavo at
Sun Nov 23 10:19:54 EST 2014

On Fri, Nov 21, 2014 at 3:15 PM, Cantor, Scott <cantor.2 at> wrote:
> On 11/21/14, 7:37 PM, "Tom Scavo" <trscavo at> wrote:
>>When the IdP receives an AuthnRequest at a SingleSignOnService
>>endpoint, the IdP consults metadata before interacting with the user.
>>AFAIK, if the IdP lacks metadata for the SP, the transaction fails
>>outright, without even presenting the login interface to the user. In
>>this case, the user is stranded at the IdP, with no chance for either
>>party to recover.
> Sending them back to the SP presumes the much less common scenario that
> the SP is willing to handle errors. I realize that some do, but there are
> far more that never would, so I could never allow that happen as an IdP
> operator. I can't know which ones will. So it's not really a solvable
> problem.
>>My question is: Can the IdP be configured to respond with a SAML error
>>if there is no metadata for the SP? If so, how?
> Not in V2, and not in V3 I don't think.

Okay, let me turn this around and focus on the SP for a moment. Does
the following metadata config at the SP mean what I think it means?

<MetadataProvider type="Chaining" precedence="first">
   <MetadataProvider type="XML" ... />
   <MetadataProvider type="Dynamic" ... />

In other words, the SP is provisioned with an aggregate, which it
checks first. If it finds the metadata it's looking for, it uses that,
otherwise it calls out dynamically to a query server.

If that is how the Chaining MetadataProvider actually works, let me
ask: will IdP 3 support such a configuration?



More information about the users mailing list