signing IDP metadata
Peter Schober
peter.schober at univie.ac.at
Thu Apr 28 21:28:00 UTC 2022
* Herron, Joel D <herronj at uww.edu> [2022-04-28 23:12]:
> The previous implementor of our IDP signed both of our
> idp-metadata.xml files (standard and 4096 certs) with a custom xml
> generator which I’m looking to retire.
If you wanted to keep signing (see below9) you can always use
XmlSecTool, https://shibboleth.atlassian.net/wiki/spaces/XSTJ3/overview
or the SP's samlsign or other "non-custom" tools.
> Is this a common practice? I’m not seeing anything in the
> documentation that suggests that’s a something to even consider
> doing. I can see the benefits in theory but that would require SPs
> to actually check the signing.
This. Also, you'd want to sign+expire[1] then, meaning you'd
periodically (e.g. daily) add/set EntityDescrptor/@validUntil a few
days/weeks into the future, sign and publish.
But why self-publish your IDP's metadata at all? I.e., why not point
the SP to the *signed*, constantly *updated* copy of your IDP's
metadata in InCommon's MDQ service?
> If I were to not sign it going forward I assume the risk would be if
> some SP actually implemented the signing check it would fail for
> them.
Highly unlikey as that would break the service for all their
non-signing customers (i.e., the other 99.9999%). ;)
-peter
More information about the users
mailing list