What is the advice - meta data retrieval

Cantor, Scott cantor.2 at osu.edu
Fri Apr 12 09:09:56 EDT 2019

On 4/11/19, 11:55 PM, "users on behalf of Lalith Jayaweera" <users-bounces at shibboleth.net on behalf of ljayaweera at gmail.com> wrote:

> I have seen  discussions, that, it is highly not recommended to access meta data dynamically from a running system. >
> https://<server>/idp/shibboleth

That is not, FWIW, coming from a "running" system, that's just a static file same as any other. The issue is their lack of verification and handling, not that it's coming from a URL.

You have to understand the threat models and then make a decision on risk to determine what you can live with or not. Static import of metadata introduces a lack of revocation, just as lack of verification of dynamic import risks impersonation.

-- Scott

More information about the users mailing list