provide SP metadata download URL to my IDP

Peter Schober peter.schober at univie.ac.at
Mon Apr 6 14:11:52 EDT 2020


* Marcus Schopen <lists at localguru.de> [2020-04-06 18:46]:
> I've set up shibboleth-sp. My IDP asks for an URL to fetch my metadata.

I'd tell the IDP to accept a snapshot of the metadata per (signed)
email -- or whatever trustworthy data exchange you can come up -- and
provision it statically.

Automatically downloading plain text files containing cryptographic
material and authorized protocol endpoints (where personal data is
sent to by the IDP) over the Internet and blindly trusting its content
is little more than security theatre, IMO.

Of course sharing a static snapshot of course comes with an ongoing
maintainence burdon of having to contact the IDP about later changes.
To me that's still preferrable to the IDP using false metadata at any
time, even if I'm not making changes to my service for years.

(A compromise is signing the metadata you're publishing and with only
a single consumer you can also test whether they're validating the
signature by sabotaging the signature once in a while and monitoring
for breakage from that IDP. ;))

> Does the file need a special mime type?

If you want the standard MIME type for that is
application/samlmetadata+xml, IIRC, but I doubt any SAML
implementation cares about that.
(So changing that will not fix whatever you think is broken.)

-peter


More information about the users mailing list