Shibboleth.DEPRECATION : MetadataGenerator handler

Cantor, Scott cantor.2 at
Mon Dec 6 16:10:23 UTC 2021

On 12/6/21, 10:56 AM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:

>    Thanks, good point. Of course I'd still need to know who's running the
>    the new SP vs. the old one then (unless there'll be some way to
>    determine that, e.g. different default endpoint structures).

Yet to be determined. There are pros and cons to that both ways. If there's a good reason to change things there's no good reason not to, but I don't know that "to be able to tell it's new" is a good reason. There will almost certainly be enough other tells.

>    OK, so the Apache module (as the one initiating connections to shibd)
>    would handle the TLS client-side and stunnel would provide the TLS
>    server, itself connecting to a non-TLS TCP socket listening on the
>    Java side?

That is a possibility, yes. It puts the hassle of  managing TLS on the people who want to run it that way instead of the project. You have to bear in mind this isn't "just TLS". It has to be client-authenticated TLS to be worth doing.

>    Heh. Point taken about the configuration, although there's a wide
>    compexity spectrum available on the IDP side, from very simple (Java
>    properties files) to the custom config of an attribute resolver/filter
>    to Spring beans.

Yes, but it's a lot more XML than now no matter what, and people do nothing but bitch about what it looks like now.

-- Scott

More information about the users mailing list