Metadata Typo Causes Integration Headaches

Marvin Addison serac at
Tue Sep 18 09:20:28 EDT 2018

On Tue, Sep 18, 2018 at 9:10 AM Cantor, Scott <cantor.2 at> wrote:
> what I would certainly suggest is schema validating. It doesn't catch every metadata mistake but it certainly catches this sort of thing in most cases.

Wholeheartedly agree that schema validation is a best practice for
catching simple mistakes, but avoiding hand-editing XML is my goal for
commonplace integrations.

> > 2. Metadata-based credential resolution is complicated by filtering
> > that can reduce the effective key set from what's patently defined in
> > metadata XML files.
> Not sure I followed that.

Not surprised -- I was groping for words. Let me try again: just
because you have what appears to be the right certificate defined in
your metadata, there's some complex policy machinery that can
effectively remove it from consideration: usage constraints, algorithm
constraints, etc. Frankly I'm not even certain of all the ways that a
credential can be filtered out from consideration, but I convinced
myself there's a lot of machinery there that I didn't fully appreciate
and still don't fully understand.


More information about the users mailing list