MetadataProvider question...

Cantor, Scott cantor.2 at
Thu Oct 24 19:29:28 EDT 2019

The SAML trust model [1] we implement and encourage is predicated on third party federations signing and distributing metadata to avoid bilateral exchange. It's predicated on, among other things, signed metadata that expires regularly, and is re-signed frequently, with the signing key exchanged out of band.

That doesn't work point to point and we don't facilitate that model, it just happens to be something the software can't enforce; it will accept metadata from any source its given with the rules its given. It's up to deployers whether to care what the rules are or not.

-- Scott


More information about the users mailing list