SP metadata

Peter Schober peter.schober at univie.ac.at
Fri May 10 06:15:50 EDT 2019

* Mikael Bak <bak.mikael at oszk.hu> [2019-05-10 11:52]:
> Do I understand you correctly that you say it's NOT desireable to
> have idP or SP metadata available online for anyone to download?

Not at all. Only when it's not secured as would have been in the case
you were asking about (your own SP).
It's fine when Integrity and Authenticity (out of CIA) are added, as
will be the case of eduID.hu re-signing (xmldsig) and re-publishing it
regularly as part of their federation metadata.

> This seems a bit strange to me because our federation ask for an URL
> and it is downloading the metadata from there.

For one-time imports with added manual (human) inspection and
verification that's probably OK. You can agree that no key rollover is
happening at that time out of band. And the change of an undetected
MITM happening right at that one-time import are low. (Those increase
with regularly repeated, automated , i.e., "blind", re-importing from
there, of course.)

> I have been using simplesamlphp to implement an idP, and that software
> had also an automatic metadata generator link to register with the
> federation. But that generated metadata did not contain any warning at all.

No sure what you're asking. The Shibboleth developers have decided to
make people are of the Security Theatre that happens when in the area
on a daily basis. The SimpleSAMLphp developers have not made that decision.

> Perhaps I misunderstand the purpose of /Metadata. I thought this is
> the preferred way to publish my metadata to others like I did when
> working with the idP (in simplesamlphp).

It should be clear to you now (and/or from that warning comment) that
this is not the case.

> If this is not the preferred method, then what is?
> Should /Metadata access be restricted (or removed)?

For the purpse of your deployment I think I covered this all.
And now that your metadata is (or will be) available from eduID.hu, in
a regularly re-signed and re-published fashion, you can also point any
other IDP -- even those outside eduID.hu -- to the eduID.hu metadata
if needed. That metadata can be cryprographically validated and so
importing it over the network is sfe.

There's no need to go as far as disabling the /Metadata handler but
you can do that if you want to. (I did that on a few systems of my
This is not about confidentiality (secrecy), though. It's about
avoiding mistakes people make during trust establishment.

The canonical piece on that is here
but it's not sufficiently high-level, I think, for an entity owner
coming to this new (i.e., you, before we had this exchange here).


More information about the users mailing list