InCommon metadata support

[Tom Scavo <>]

On Mon, Feb 3, 2014 at 6:11 PM, Gary Griffith
<>
 wrote:
>
> When connecting to https://md.incommon.org/InCommon/InCommon-metadata.xml, I
> get presented the SSL certificate for wayf.incommonfederation.org instead.

The published endpoints for InCommon metadata are (and always have
been) ordinary HTTP endpoints as shown in the wiki.
(https://spaces.internet2.edu/x/SoG8Ag) Please use the published
endpoint locations when configuring your metadata client.

As noted on the Metadata Consumption wiki page
(https://spaces.internet2.edu/x/JwQjAQ) your client should be
configured to validate the expiration date and verify the XML
signature on downloaded metadata. There are wiki pages that show how
to do this for Shibboleth and simpleSAMLphp. If you're using something
else, please let us know so we can document it.

> Are there any plans to get a server certificate for md.incommon.org?

No, not at this time, but in any case fetching metadata via HTTPS
probably doesn't do what you want, so it should be avoided.

OTOH, we are in the process of bringing up a secure server for
distributing the metadata signing certificate, which has very
different security requirements. Consequently, the bootstrap process
outlined in the wiki (https://spaces.internet2.edu/x/moHFAg) will
change, for the better. As soon as the server is ready, we will
announce it.

Thanks,

Tom