Metadata Typo Causes Integration Headaches
cantor.2 at osu.edu
Tue Sep 18 09:09:13 EDT 2018
On 9/18/18, 7:56 AM, "users on behalf of Marvin Addison" <users-bounces at shibboleth.net on behalf of serac at vt.edu> wrote:
> 1. Don't maintain metadata by hand. I believe that's somewhere in the
> InCommon best practices documents, but it's a best practice
> regardless. We've had several minor issues over the years, but this
> most recent one was a huge support black hole and I think we've
> finally learned the lesson the hard way.
If you mean "rely on an XML editor", that's certainly useful, but can be a pain when you do a lot of work on servers. But what I would certainly suggest is schema validating. It doesn't catch every metadata mistake but it certainly catches this sort of thing in most cases.
> 2. Metadata-based credential resolution is complicated by filtering
> that can reduce the effective key set from what's patently defined in
> metadata XML files.
Not sure I followed that. I think the underlying code might support some name-based key filtering but I don't think it actually triggers all that often, and never on a redirect since there's no KeyInfo hint to feed into that kind of filtering.
More information about the users