signing IDP metadata
Herron, Joel D
herronj at uww.edu
Thu Apr 28 21:11:38 UTC 2022
The previous implementor of our IDP signed both of our idp-metadata.xml files (standard and 4096 certs) with a custom xml generator which I’m looking to retire. Is this a common practice? I’m not seeing anything in the documentation that suggests that’s a something to even consider doing. I can see the benefits in theory but that would require SPs to actually check the signing.
If I were to not sign it going forward I assume the risk would be if some SP actually implemented the signing check it would fail for them.
Any other side-effects of removing the signing or pluses to signing it?
Thanks,
--Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220428/25af8beb/attachment.htm>
More information about the users
mailing list