conflicting metadata, force NameIDFormat?
Christopher Bongaarts
cab at umn.edu
Fri Jun 12 19:57:05 UTC 2020
On 6/12/2020 1:07 PM, Baron Fujimoto wrote:
> I am assuming that the IdP is using the InC entry based on the
> entityID for the SP and ignoring the subsequent metadata provided
> seaparately for them. Questions re this assumption:
>
> - Is a matching metadata selected based on the SP entityID?
> - Is a the selected metadata chosen on a first match basis? If so,
> this dependent on the order in which the metadata is loaded in the
> metadata-providers.xml conf file?
Yes and yes.
We load our locally-maintained metadata prior to InCommon to allow us to
override them if needed. Yes, that has bitten us at least once in the
past (expected R&S category attribute release policy to apply to an SP
in InCommon, but it didn't because we had local metadata for them that
of course did not include the R&S category tagging).
So maybe I would suggest that as a least-bad-practice?
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list