Shibboleth.DEPRECATION : MetadataGenerator handler

Jan Vilhuber JVilhuber at absolute.com
Mon Dec 6 10:49:32 UTC 2021 


From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
Date: Monday, 6 December 2021 at 17:45
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: Shibboleth.DEPRECATION : MetadataGenerator handler
* Jan Vilhuber <JVilhuber at absolute.com> [2021-12-06 05:48]:
> I can’t find anything about this in the Release-notes or google. Can
> someone give details? Is it being replaced with something else? If I
> missed some obvious place, I apologize for the noise!

I'm guessing the thing you've missed are countless discussions on this
list about how serving up metadata for others using that endpoint is
insecure (self-asserted, never expiring, unsigned metadata provides
zero trust but is still often directly/dynamically used to establish
key material that's then relied upon for securing SAML protocol
messages) and how the internal config sometimes needs to differ from
the external view during changes, e.g. what keys are internally
configured/available vs. which ones are included in published metadata
and with what use-limitations, if any.

No, I didn’t miss those discussions and I did read the warnings in the wiki. I was under the (apparently mistaken) impression the endpoint could still be used for internal purposes, though.

Thanks. I’ll have a look at metagen.sh.
Jan


The replacement has been the metagen.sh script and further curating
that metadata yourself as needed, I'd expect.

As a federation operator I do find the metadata generator endpoint
very useful as it helps with blackbox debugging, e.g. discovering
supported (or changed) EncryptionMethod values which the SP software
dynamically generates but I realise that's not the common case.

I also note that e.g. SimpleSAMLphp doesn't seem to have such concerns
about internal configration vs. published metadata as part of key
rollover, cf. https://urldefense.com/v3/__https://simplesamlphp.org/docs/stable/saml:keyrollover__;!!GEjU_1jlQXGQfQ!0DJ0ZSokGAzmq2oq3vdlSnzQYdTw-XoGhbtXfDcL79bUyFEJFWqpM84uFSMzhh6Umw$<https://urldefense.com/v3/__https:/simplesamlphp.org/docs/stable/saml:keyrollover__;!!GEjU_1jlQXGQfQ!0DJ0ZSokGAzmq2oq3vdlSnzQYdTw-XoGhbtXfDcL79bUyFEJFWqpM84uFSMzhh6Umw$>
(AFAICT the Shib SP offers simmilar features here so I'm probably
missing something more fundamental here.)

-peter
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!GEjU_1jlQXGQfQ!0DJ0ZSokGAzmq2oq3vdlSnzQYdTw-XoGhbtXfDcL79bUyFEJFWqpM84uFSNi2FAfEw$<https://urldefense.com/v3/__https:/shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!GEjU_1jlQXGQfQ!0DJ0ZSokGAzmq2oq3vdlSnzQYdTw-XoGhbtXfDcL79bUyFEJFWqpM84uFSNi2FAfEw$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211206/d7c84f08/attachment.htm>

More information about the users mailing list