Shibboleth.DEPRECATION : MetadataGenerator handler
cantor.2 at osu.edu
Mon Dec 6 16:10:23 UTC 2021
On 12/6/21, 10:56 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
> Thanks, good point. Of course I'd still need to know who's running the
> the new SP vs. the old one then (unless there'll be some way to
> determine that, e.g. different default endpoint structures).
Yet to be determined. There are pros and cons to that both ways. If there's a good reason to change things there's no good reason not to, but I don't know that "to be able to tell it's new" is a good reason. There will almost certainly be enough other tells.
> OK, so the Apache module (as the one initiating connections to shibd)
> would handle the TLS client-side and stunnel would provide the TLS
> server, itself connecting to a non-TLS TCP socket listening on the
> Java side?
That is a possibility, yes. It puts the hassle of managing TLS on the people who want to run it that way instead of the project. You have to bear in mind this isn't "just TLS". It has to be client-authenticated TLS to be worth doing.
> Heh. Point taken about the configuration, although there's a wide
> compexity spectrum available on the IDP side, from very simple (Java
> properties files) to the custom config of an attribute resolver/filter
> to Spring beans.
Yes, but it's a lot more XML than now no matter what, and people do nothing but bitch about what it looks like now.
More information about the users