SP metadata

Mikael Bak bak.mikael at oszk.hu
Fri May 10 05:52:20 EDT 2019 

Hi Peter,
Thank you for taking the time to answer my questions.



On 2019. 05. 10. 11:24, Peter Schober wrote:
> * Mikael Bak <bak.mikael at oszk.hu> [2019-05-10 10:09]:
>> I have put together a very basic SP that connects to out federation
>> with discovery. I had to supply an URL to the SP metadata to the federation:
> 
> If this is about integration with https://eduid.hu/ they should know
> what they're doing. (Probably a one-time snapshot from the URL you
> provide that's manually verified and then processed further.)
> 


Yes, it's eduid.
I should ask them if the metadata is only read once or if it's reread
periodically.


>> Everything seems to work but I'm litte uneasy by the fact that the
>> metadata file starts with this text:
> 
> That's why it's there. ;)
> 


Good. This is why I'm here :)


>> So my question is: If I'm not supposed to publish the automatically
>> generated metadata (the URL above), then how am I supposed to do it?
> 
> SAML Metadata is plain text. And it endpoints that should be trusted
> by the metadata consumer (i.e., no other endpoints should be trusted
> for this entity) plus it contains cryptographic keys that will be used
> to verify SAML protocol messages changed with IDP in the future, like
> a (small) CA root cert, a trust anchor.
> Now you wouldn't blindly (i.e., automatically) import and trust CA
> root certs loaded over the Internet, would you?
> That's one of the reasons why you shouldn't point other people at this URL.
> 
> The other reason has to do with internal configuration of your SP
> sometimes having to differ from what you publish via metadata,
> e.g. during key roll-over. (Then your SP has multiple keys internally
> available but publishes a subset of those -- in a certain order --
> over a period of time.)
> 
> If that comment does not contain a URL to a FAQ entry of some sorts we
> should a) start that FAQ entry now and you could b) file an issue to
> get a URL pointing to that FAQ entry included within that comment in a
> next release of the SP software.
>

Thank you for the lengty explanation!

Do I understand you correctly that you say it's NOT desireable to have
idP or SP metadata available online for anyone to download?

This seems a bit strange to me because our federation ask for an URL and
it is downloading the metadata from there.

I have been using simplesamlphp to implement an idP, and that software
had also an automatic metadata generator link to register with the
federation. But that generated metadata did not contain any warning at all.

Perhaps I misunderstand the purpose of /Metadata. I thought this is the
preferred way to publish my metadata to others like I did when working
with the idP (in simplesamlphp).

If this is not the preferred method, then what is?
Should /Metadata access be restricted (or removed)?


Thanks,
Mikael

More information about the users mailing list