Using metadata-driven overrides and relying party config

Michael Grady mgrady at
Thu Jan 14 16:31:46 UTC 2021

So when  one turns on support for metadata-driven overrides in relying-party.xml, does that mean you need to use either metadata-driven for a given SP, or an override in relying-party.xml, but not both? Can they be combined?

Clearly its best to be consistent and not use both in general, at least not for the same SP.  I do know from a recent test that setting to ties into a new signing cert in the metadata for a SP does not work if there is then a RP override that overrdies what to sign.   So one cannot use both for a situation like that. But I'm not clear if any SP-specific override in relying party causes all metadata-driven overrides  to be ignored or not.

Michael A. Grady
IAM Architect, Unicon, Inc.

More information about the users mailing list