Encryption works against samltest.id but not local Shibboleth IdP

[Cantor, Scott]

On 7/30/20, 12:16 PM, "users on behalf of Raymond DeCampo" <users-bounces at shibboleth.net on behalf of ray at decampo.org> wrote:

>    I feel like I am missing something, is there a tool that will generate IdP metadata from a Shibboleth IdP instance?

No. Metadata describes the aspects of a system that are to be publically "true". Changing endpoints, keys, and other characterstics requires that deployments and metadata diverge in ways specific to the introduction of new, changed, or removed settings. Keys get added to one or the other first, time has to elapse, and then the completion of the change happens. Etc.

You can only generate metadata in scenarios in which metadata is being misused by the people producing and consuming it by treating it as static or as a one-time exchange.

>  I found the sample metadata very helpful in terms of starting from scratch with an installation and no prior experience
> with SAML.

Based on 15 years of history, it misleads people and is used to deploy systems insecurely more than it ultimately solves the basic goal of teaching people how to produce some XML, which is something we certainly could manage with greater flexibility than what's in shipped Java code. I'm not saying we have such a thing, I'm just saying that it would be the better choice for the specific goal.

-- Scott