Metadata Typo Causes Integration Headaches

Brent Putman putmanb at georgetown.edu
Wed Sep 19 19:22:47 EDT 2018



On 9/19/18 7:16 PM, Cantor, Scott wrote:
> On 9/19/18, 7:07 PM, "users on behalf of Brent Putman" <users-bounces at shibboleth.net on behalf of putmanb at georgetown.edu> wrote:
>
>> As I just mentioned in my longish reply, the KeyInfo at issue here was the metadata KeyDescriptor/KeyInfo.  I don't
>> *think* Marvin's conclusions here were quite correct, as I believe there would not have been any Credentials extracted
>> from metadata to filter.
> Yes, but my point was that even if the code is outfitted to feed key names into the process to filter out non-matches, that would have to come, ordinarily, from the message's KeyInfo hint. And with a signed redirect, there's no hint, so there's nothing to do but try all the keys in the metadata that match the algorithm type.

Sure.  That's what we do.  I was just trying to point out that there
was a Keyinfo here (in metadata, not a request hint) and its "badness"
was the root cause here I think, not any kind of filtering (based on
KeyInfo hints or otherwise).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180919/69d617df/attachment.html>


More information about the users mailing list