requiring valid metadata

Cantor, Scott cantor.2 at osu.edu
Tue Mar 29 18:44:28 EDT 2016


On 3/29/16, 5:23 PM, "users on behalf of Tom Scavo" <users-bounces at shibboleth.net on behalf of trscavo at internet2.edu> wrote:



>What is the difference between the RequiredValidUntil metadata filter [1]
>
><MetadataFilter xsi:type="metadata:RequiredValidUntil">
>
>and the requireValidMetadata XML attribute [2]
>
>MetadataProvider/@requireValidMetadata

They aren't related really. The filter is used to prevent loading metadata that never expires or has too long a validity period, which undermines the trust model.

The attribute IIRC was there to prevent the IdP from loading metadata that was already invalid at the time it's loaded, I have no idea how it's used or if anybody ever touches it. The SP doesn't have that setting, and that's usually a good sign I didn't think it made sense.

If the purpose was to prevent throwing away valid metadata for "newer" but invalid metadata, well, duh. Pretty sure the SP just checks for that and doesn't swap it in. Because, well, duh.

-- Scott
 


More information about the users mailing list