Using custom metadata for my SP

Peter Schober peter.schober at
Thu Feb 6 10:18:11 EST 2020

* Vjger <vjger69 at> [2020-02-06 16:10]:
> this is now clear to me. I must customize and share with idps my
> metadata xml file.

You still haven't explained why you think the metadata must be
different for different consumers of that metadata.
I'd try to avoid such a situation if at all possible.

> I would say this: "/The credentials used by an SP MUST correspond to
> those supplied to relying parties and federations in the SP's
> metadata, or trust failures will result./".

Well, the SP could use more key pairs than shared with others,
e.g. those still supported as part of a key rollover process but no
longer published to consumers.
So not correspondence in the literal sense, quite the opposite:
Sometimes it might be necessary for the internal configurtion must
differ from the published metadata.

Which is why people shouldn't be publishing their metadata generator
URLs. Which is what the documentation should also cover, AFAIR.

> The credentials used by SP are defined by <CredentialResolver> tag
> of shibboleth2.xml, isn't it?

Sure, and the documentation should leave no doubt about that.


More information about the users mailing list