What is the advice - meta data retrieval
Cantor, Scott
cantor.2 at osu.edu
Fri Apr 12 09:09:56 EDT 2019
On 4/11/19, 11:55 PM, "users on behalf of Lalith Jayaweera" <users-bounces at shibboleth.net on behalf of ljayaweera at gmail.com> wrote:
> I have seen discussions, that, it is highly not recommended to access meta data dynamically from a running system. >
> https://<server>/idp/shibboleth
That is not, FWIW, coming from a "running" system, that's just a static file same as any other. The issue is their lack of verification and handling, not that it's coming from a URL.
You have to understand the threat models and then make a decision on risk to determine what you can live with or not. Static import of metadata introduces a lack of revocation, just as lack of verification of dynamic import risks impersonation.
-- Scott
More information about the users
mailing list