Using custom metadata for my SP

Vjger vjger69 at gmail.com
Thu Feb 6 10:10:22 EST 2020


Before all, thanks for the answers :)


Peter Schober wrote
> Where's the question? The SP allows to add stuff to its configuration
> so that it can be pulled out again at the metadata generator endpoint.
> But why insist on putting it into the SP config when you just as well
> could put it into the generated metadata document?
> 
> [cut...]
> 
> Again, pointing anyone at your metadata generator endpoint is
> completely insecure. That's why you should not do it. That's why the
> warning exists. So why are you then still concerned with getting more
> data into the output of the SP's  metadata generator?

No, this is now clear to me. I must customize and share with idps my
metadata xml file.


Peter Schober wrote
>> 1) what happens if i produce and share my custom metadata with two
>> certificates (tag  
> <md:KeyDescriptor use="signing">
>  and    
>> 
> <md:KeyDescriptor use="encryption">
> ) and into shibboleth2.xml tag
>> 
> <CredentialResolver>
>  use different pem files? I would have a conflict,
>> isnt'it?
> 
> Sorry, I don't understand the question.

I would say this: "/The credentials used by an SP MUST correspond to those
supplied to relying parties and federations in the SP's metadata, or trust
failures will result./". The credentials used by SP are defined by
<CredentialResolver> tag of shibboleth2.xml, isn't it?



Peter Schober wrote
>> 2) how i can get my custom metadata by Shibboleth.sso/Metadata url?
> 
> You don't. That's the whole point. SAML 2.0 metadata is XML. XML is
> plain text. You can put plain text anywhere, e.g. in a file you
> distribute over a secure channel so that the information is
> trustworthy (i.e., the metadata's integrity and authenticity are
> intact).

Ok, clear. 




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html


More information about the users mailing list