Using custom metadata for my SP

Alan Buxey alan.buxey at
Thu Feb 6 08:35:21 EST 2020


> Two examples:
> a) requires an Organization element but my current metadata (got by
> Shibboleth.sso/metadata) doesn't contain it.
> b) requires <md:AttributeConsumingService> element but my current metadata
> (got by Shibboleth.sso/metadata) doesn't contain it.

so you add them as required.  take the Metadata file provided by your
SP ..the one that contains the
warning. thats okay,  you are taking that as the base template to
customise as required and then provide
via some secure channel to your IdP partners.  the warning is about
using that as a verbatim config
of the SP and as a secure way of knowing thats how to talk to you.

the SP doesnt read metadata about itself. it knows its config from the
confguration files. you only feed
your SP IdP metadata

> Ok, I suspected it but I've two questions:
> 1) what happens if i produce and share my custom metadata with two
> certificates (tag  <md:KeyDescriptor use="signing"> and
> <md:KeyDescriptor use="encryption">) and into shibboleth2.xml tag
> <CredentialResolver> use different pem files? I would have a conflict,
> isnt'it?

yes. that's why you don't do that. ensure that your shared metadata
only contains correct info. the same would be true
if you'd changed the metadata to use different endpoint URLs etc.

> 2) how i can get my custom metadata by Shibboleth.sso/Metadata url?

you cant/dont - that file is a pretty general overview of the main SP
shibboleth engine.  all of the other things usually added
such as information URLs, MDUI elements, Sirtfi, CoCo,MFA and all
federation stuff etc is added externally as decorations to
the metadata.  there are various tools/utils out there to add such
things (most eg federation admin pages let you update
your metadata by either adding those or letting you manually add all
the relevant sections)


More information about the users mailing list