Using custom metadata for my SP
peter.schober at univie.ac.at
Thu Feb 6 06:59:11 EST 2020
* Vjger <vjger69 at gmail.com> [2020-02-06 12:48]:
> > That should not be the case: Your metadata describes your SP,
> > independently from who's asking.
> Correct but the informations required by external idps are more of
> what is required by my internal shibboleth idp.
I cannot parse that sentence nor does it match what you're asking:
You said the SP metadata needs to differ to satisfy multiple IDP's
varying requirements on your SP's metadata.
So now it's just about a single IDP?
> Two examples:
> a) requires an Organization element but my current metadata (got by
> Shibboleth.sso/metadata) doesn't contain it.
> b) requires <md:AttributeConsumingService> element but my current metadata
> (got by Shibboleth.sso/metadata) doesn't contain it.
Where's the question? The SP allows to add stuff to its configuration
so that it can be pulled out again at the metadata generator endpoint.
But why insist on putting it into the SP config when you just as well
could put it into the generated metadata document?
Again, pointing anyone at your metadata generator endpoint is
completely insecure. That's why you should not do it. That's why the
warning exists. So why are you then still concerned with getting more
data into the output of the SP's metadata generator?
> 1) what happens if i produce and share my custom metadata with two
> certificates (tag <md:KeyDescriptor use="signing"> and
> <md:KeyDescriptor use="encryption">) and into shibboleth2.xml tag
> <CredentialResolver> use different pem files? I would have a conflict,
Sorry, I don't understand the question.
> 2) how i can get my custom metadata by Shibboleth.sso/Metadata url?
You don't. That's the whole point. SAML 2.0 metadata is XML. XML is
plain text. You can put plain text anywhere, e.g. in a file you
distribute over a secure channel so that the information is
trustworthy (i.e., the metadata's integrity and authenticity are
More information about the users