MetadataProvider question...

Christopher Bongaarts cab at
Fri Oct 25 10:20:51 EDT 2019

On 10/25/2019 5:50 AM, Peter Schober wrote:
> * Dennis Fazekas<Dennis_Fazekas at>  [2019-10-25 00:32]:
>> We have customers that want to setup their IDP software to query us
>> on an interval similar to how the SP can query them using the
>> MetadataProvider.
> They can. Just know that automatically (i.e., blindly) loading and
> trusting cryptographic key material over the Internet is essentially
> security theater.
> Even if your trust in browser-/OS vendor-supplied web PKIX is
> unfailing you'd have to closely inspect the whole HTTP + TLS software
> stack in use that's downloading the metadata (so this would need to
> happen at every IDP that loads your metadata that way) to account for
> any and all degradations in trustworthiness of the connection that may
> happen at any time (attacks local to the IDP, local to the SP or
> somewhere in the middle), i.e., the things a graphical browser would
> signal with UI elements or forced interstitial warning pages.

I don't think that aspect (breaking TLS to divert metadata retriveal) is 
as much as a threat in this case as that you would have to take steps to 
ensure that the metadata provided by one SP doesn't step on some other 
SP's metadata.  You may be able to work around the latter problem by 
using a PredicateMetadataFilter to restrict the entity ID(s) that can be 

> We should probably write all this up on a wiki page and put the URL to
> that page into that warning message, though.

Agreed; now that (as of 3.4) there is a way to work around the above 
problem, seems like it might be worth documenting.... Perhaps someone 
who has done this (I have not yet) could do so (it is a wiki after all).

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list