Configuring new SP
cantor.2 at osu.edu
Fri Apr 24 11:06:12 EDT 2020
On 4/24/20, 10:54 AM, "users on behalf of Lohr, Donald" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:
> We have a new SP vendor that has two SPs we are configuring for. They
> are not InCommon, but do support getting both metadata files via the
> FileBackedHTTPMetadataProvider approach in the metadata-providers.xml
> file (which we will store sad files locally).
I never rely on remote metadata, that's untrustworthy (in every sense; it's not secure, it's not reliable, the vendor's metadata is probably wrong, and it's frequently invalid).
All those cases I handle with locally stored metadata in files named for the hash of the entityID and use the LocalDynamic provider. They show up automatically when added to the directory, are monitored for changes, and no configurations have to change.
If you're touching metadata-providers.xml frequently, that's not the best way of handling things.
> Since they are sharing the same attribute-filter.xml section, what would
> the <AttributeFilterPolicy id="??"> be?
You should handle attribute release via metadata "tagging". There are examples of that in the default file now. You don't need to be creating rules for basic attributes for every service. That gets very ugly very fast.
But the approach for a manual rule would be an OR rule covering both entityIDs, not two rules.
To answer the question, the id attributes are usually for logging purposes.
More information about the users