Metadata Typo Causes Integration Headaches
Brent Putman
putmanb at georgetown.edu
Wed Sep 19 19:07:11 EDT 2018
On 9/18/18 9:09 AM, Cantor, Scott wrote:
>
>> 2. Metadata-based credential resolution is complicated by filtering
>> that can reduce the effective key set from what's patently defined in
>> metadata XML files.
> Not sure I followed that. I think the underlying code might support some name-based key filtering but I don't think it actually triggers all that often, and never on a redirect since there's no KeyInfo hint to feed into that kind of filtering.
All of the concrete CredentialResolver impls fundamentally have this
capability, by virtue of inheriting from
AbstractCriteriaFilteringCredentialResolver, and the filtering happens
automagically if the right kind of criteria are supplied (those that
either are or can be mapped to a Predicate<Credential>).
As I just mentioned in my longish reply, the KeyInfo at issue here was
the metadata KeyDescriptor/KeyInfo. I don't *think* Marvin's
conclusions here were quite correct, as I believe there would not have
been any Credentials extracted from metadata to filter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180919/442df4e4/attachment.html>
More information about the users
mailing list