Include MetadataFilter on MDQ MetadataResolver in SP
Nate Klingenstein
ndk at signet.id
Wed Nov 2 16:01:31 UTC 2022
All,
A client would like to be able to load IdP metadata through the InCommon MDQ service while limiting the set of identity providers that the SP is willing and able to interact with. I thought this would be possible by using a vanilla Include MetadataFilter:
<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache"
maxCacheDuration="86400" minCacheDuration="60"
baseUrl="https://mdq.incommon.org/">
<MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1123200"/>
<MetadataFilter type="Include">
<Include>urn:mace:incommon:redacted.edu</Include>
</MetadataFilter>
</MetadataProvider>
... but the SP fails to initialize with:
2022-11-01 17:41:24 CRIT OpenSAML.MetadataProvider.Chaining : failure initializing MetadataProvider: Root of metadata instance not recognized: {urn:mace:shibboleth:3.0:native:sp:config}MetadataFilter
The same filter on a file-based MetadataProvider works.
<MetadataProvider type="XML" validate="true"
url="https://idp.redacted.edu/idp/shibboleth"
backingFilePath="Redacted-IdP-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="Include">
<Include>urn:mace:incommon:redacted.edu</Include>
</MetadataFilter>
</MetadataProvider>
Obviously, the application itself could also enforce interaction with only a specific IdP, but it would be nice to punt that to the SP if possible. Any ideas?
Thanks in advance,
Nate
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
More information about the users
mailing list