SP metadata

[Peter Schober]

* Mikael Bak <bak.mikael at oszk.hu> [2019-05-10 10:09]:
> I have put together a very basic SP that connects to out federation
> with discovery. I had to supply an URL to the SP metadata to the federation:

If this is about integration with https://eduid.hu/ they should know
what they're doing. (Probably a one-time snapshot from the URL you
provide that's manually verified and then processed further.)

> Everything seems to work but I'm litte uneasy by the fact that the
> metadata file starts with this text:

That's why it's there. ;)

> So my question is: If I'm not supposed to publish the automatically
> generated metadata (the URL above), then how am I supposed to do it?

SAML Metadata is plain text. And it endpoints that should be trusted
by the metadata consumer (i.e., no other endpoints should be trusted
for this entity) plus it contains cryptographic keys that will be used
to verify SAML protocol messages changed with IDP in the future, like
a (small) CA root cert, a trust anchor.
Now you wouldn't blindly (i.e., automatically) import and trust CA
root certs loaded over the Internet, would you?
That's one of the reasons why you shouldn't point other people at this URL.

The other reason has to do with internal configuration of your SP
sometimes having to differ from what you publish via metadata,
e.g. during key roll-over. (Then your SP has multiple keys internally
available but publishes a subset of those -- in a certain order --
over a period of time.)

If that comment does not contain a URL to a FAQ entry of some sorts we
should a) start that FAQ entry now and you could b) file an issue to
get a URL pointing to that FAQ entry included within that comment in a
next release of the SP software.

-peter