Our Info Security folks want a new IDP URL

Nate Klingenstein ndk at signet.id
Fri Oct 26 17:23:31 EDT 2018 

Stephen,

 
> Do you consider this "broken" ?

 
I think "brittle" or "risky" would be better words, but "broken" isn't far off.  In the event you need to change something in your metadata, there is no real way for you to broadcast that update when you hand out the file statically.  You can mitigate some of that with URL rewrites, but as Scott pointed out, keys(and there are other things you may want to update, such as UI information) are a different matter.  You would be faced with a slow manual slog churning through all the providers that have static, stale copies of your metadata while they continued to trust the compromised keypair.

 
If your metadata is published(at the entityID or at a federation or elsewhere) and periodically refreshed by services, or you have some direct way to update your metadata/the equivalent configuration of metadata at the service, then you have the ability to update information without relying on the service provider to be responsive in a timely manner.

 
It's really about having the reliable capability to update your metadata coherently and quickly across services, and that can be achieved in a number of ways.  It's a great first step to host a reference copy at the entityID and require services to refresh it regularly, but given that not all services support metadata, let alone remotely fetching it, it's not likely to address everything, and you should have a mechanism in place for every service.

 
Hope this helps,

Nate.

 
-----Original message-----
From: Losen, Stephen C (scl)
Sent: Friday, October 26 2018, 3:08 pm
To: Shib Users
Subject: RE: Our Info Security folks want a new IDP URL
 
Hi Scott,

Thanks for your thoughts. Good point about key revocation.

By "not be broken and use metadata" do you mean periodically fetch the IDP metadata automatically?  We have many SPs that installed a local copy of our IDP metadata file once and are not configured to refresh. Do you consider this "broken" ?

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu <mailto:scl at virginia.edu>     434-924-0640


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181026/20ce0b69/attachment.html>

More information about the users mailing list