Shibboleth.DEPRECATION : MetadataGenerator handler

Peter Schober peter.schober at univie.ac.at
Mon Dec 6 10:45:16 UTC 2021


* Jan Vilhuber <JVilhuber at absolute.com> [2021-12-06 05:48]:
> I can’t find anything about this in the Release-notes or google. Can
> someone give details? Is it being replaced with something else? If I
> missed some obvious place, I apologize for the noise!

I'm guessing the thing you've missed are countless discussions on this
list about how serving up metadata for others using that endpoint is
insecure (self-asserted, never expiring, unsigned metadata provides
zero trust but is still often directly/dynamically used to establish
key material that's then relied upon for securing SAML protocol
messages) and how the internal config sometimes needs to differ from
the external view during changes, e.g. what keys are internally
configured/available vs. which ones are included in published metadata
and with what use-limitations, if any.

The replacement has been the metagen.sh script and further curating
that metadata yourself as needed, I'd expect.

As a federation operator I do find the metadata generator endpoint
very useful as it helps with blackbox debugging, e.g. discovering
supported (or changed) EncryptionMethod values which the SP software
dynamically generates but I realise that's not the common case.

I also note that e.g. SimpleSAMLphp doesn't seem to have such concerns
about internal configration vs. published metadata as part of key
rollover, cf. https://simplesamlphp.org/docs/stable/saml:keyrollover
(AFAICT the Shib SP offers simmilar features here so I'm probably
missing something more fundamental here.)

-peter


More information about the users mailing list