Using metadata-driven overrides and relying party config
mgrady at unicon.net
Thu Jan 14 16:31:46 UTC 2021
So when one turns on support for metadata-driven overrides in relying-party.xml, does that mean you need to use either metadata-driven for a given SP, or an override in relying-party.xml, but not both? Can they be combined?
Clearly its best to be consistent and not use both in general, at least not for the same SP. I do know from a recent test that setting http://shibboleth.net/ns/profiles/securityConfiguration to ties into a new signing cert in the metadata for a SP does not work if there is then a RP override that overrdies what to sign. So one cannot use both for a situation like that. But I'm not clear if any SP-specific override in relying party causes all metadata-driven overrides to be ignored or not.
Michael A. Grady
IAM Architect, Unicon, Inc.
More information about the users