inc-ops-notifications - Re: [InCommon NOTICE] Changing Metadata Signing Tool
Subject: InCommon Operations Notifications
List archive
- From: John Krienke <>
- To: InCommon Operations Notifications <>
- Subject: Re: [InCommon NOTICE] Changing Metadata Signing Tool
- Date: Sun, 12 Sep 2010 23:13:51 -0400
- Organization: Internet2
Hi all,
We're delaying the signing tool upgrade for one week, until September 22nd, to continue testing for a couple of reasons.
1. A few Site Admins asked for additional time to test. We'd like to honor that request, especially since the window is for a non-critical enhancement.
2. We discovered that XMLSecTool validates IdP XML in a slightly different manner, leaving out regexp="false" related to the Shibboleth scope extension. Because of this, we've reconfigured our system so that IdP metadata will /not/ be changed by the use of the new XMLSecTool. You'll see that the test metadata we are generating now includes regexp="false" for all scopes, as in the production metadata.
http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
See this page for details on the scope extension:
https://spaces.internet2.edu/display/SHIB2/MetadataCorrectness#MetadataCorrectness-ScopesandDefaultAttributeValues
If you run an IdP, we encourage you to test the test metadata (url above) before Sept 22nd.
john.
On 9/7/10 4:40 PM, John Krienke wrote:
All,
InCommon federation operations is changing the tool we sign the metadata with.
To follow our metadata change management policy of notification and
testing[1],
we're announcing a week of tests with the new tool, starting today. We'll
switch
over and sign the production metadata with the new tool on Wednesday,
September
15th. Please test locally with the test metadata file available here:
http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
This will not require any modifications to SP or IdP implementations. The
change
is internal to our Federation signing operation, and since it affects the way
we
issue metadata, we're committed to making sure you know about the change and
can
test its results.
================
Further Detail:
The current tool we use -- metadatatool[2]-- is operating just fine but is
getting "long in the tooth" since it was bundled with Shib 1.3 and support for
Shib 1.3 ended in June[3]. We're upgrading to use the XMLSecTool[4]. One
difference between the two tools: Normalization of XML is handled differently.
Optionally, feel free to join the metadata-diff email list to receive the test
metadata update notifications and DIFF comparisons[5].
================
Send comments or questions to the team at
john.
[1]
https://spaces.internet2.edu/display/InCCollaborate/Metadata+Change+Management
[2] https://spaces.internet2.edu/display/SHIB/IdPRelyingConfig
[3]
https://lists.internet2.edu/sympa/arc/shibboleth-announce/2009-02/msg00000.html
[4] https://spaces.internet2.edu/display/SHIB2/XmlSecTool
[5] http://www.incommonfederation.org/contacts.cfm also
https://lists.incommon.org/sympa/arc/metadata-diff
- [InCommon NOTICE] Changing Metadata Signing Tool, John Krienke, 09/07/2010
- Re: [InCommon NOTICE] Changing Metadata Signing Tool, John Krienke, 09/12/2010
- Re: [InCommon NOTICE] Changing Metadata Signing Tool, John Krienke, 09/22/2010
- Re: [InCommon NOTICE] Changing Metadata Signing Tool, John Krienke, 09/12/2010
Archive powered by MHonArc 2.6.16.