wish list: ability to define reusable blocs in SP configuration

Peter Schober peter.schober at univie.ac.at
Mon Aug 6 08:52:28 EDT 2018

* Guillaume Rousse <guillaume.rousse at renater.fr> [2018-08-06 14:28]:
> We deploy SP on authenticating reverse proxies, meaning each SP manage a lot
> of different applications (approximatively 40 currently), each in a
> different virtual host. What makes those applications different is the exact
> set of trusted IdPs: [...]
> For each of those set, we have to define a different list of metadata files,
> and a different discovery servicef URL.

Why? For authorization there more appropriate methods than metadata
filtering, i.e., literally performing authorisation in httpd's
configuration (require ...).

And who says you absolutely must offer 4 different IDP discovery
services? Now, I can understand offering two (local fed only,
local+interfederation), but I certainly wouldn't stand up an extra DS
only to add a single IDP to the extra DS instance.
(Applications with specific requirements can certainly stand up their
own IDP DS? E.g. the Shib EDS consists of only HTML and JS and
therefore can be integrated anywhere. It can also do filtering in its
on configuration and so does not require pre-filtered metadata from
the SP.)

So I'd only offer the superset of these two Discovery Services and
live with the fact that someone may be able to pick an IDP that later
is not authorised to access the resource. (That will probably become
the norm with more centralized IDP discovery services going
forward. And having 1 additional IDP in a set of hundreds or thousands
will hardly be the end of the world for anyone.)

> I'm ready to fill an formal enhancement request on Jira for this
> feature if it can be considered feasable and useful.

Personally I'd suggest you stop causing so much trouble for yourself,
for very little actual gain. Then all of those problems go away.


More information about the users mailing list