InCommon metadata support

[Tom Scavo <>]

On Thu, Jun 26, 2014 at 5:15 PM, Brian Koehmstedt
<>
 wrote:
> On 6/26/2014 2:00 PM, Tom Scavo wrote:
>>
>> What URL are you refreshing from? Are you verifying the signature on
>> the metadata?
>>
> Refreshing from http://md.incommon.org/InCommon/InCommon-metadata.xml.

That's good.

> Am I verifying the signature?  No.  (Point taken that it's desirable to
> do so.)

More than desirable, it's a security issue, but I'll say no more...

> Why am I using FilesystemMetadataProvider instead of
> FileBackedHTTPMetadataProvider?
>
> Well, here's the deal:
> I've discovered that sometimes service providers will update something
> critical in the metadata and expect me to update immediately when they
> do so (or when InCommon pushes it out).

People are funny about that, aren't they? ;-)

> If I set a 15 minute interval on FileBackedHTTPMetadataProvider, that's
> downloading 10MB every 15 minutes.  Surely if all the IdPs did this,
> you'd be not so happy with us.

That's why most people use a smart metadata client (like Shibboleth)
because it supports HTTP Conditional GET.
(https://spaces.internet2.edu/x/44GVAQ)

> But perhaps you encourage it after all.
> (Here's my chance to find out!  What's your recommended interval?)

It's documented on the Metadata Consumption page
(https://spaces.internet2.edu/x/JwQjAQ) and the previously referenced
Shibboleth Metadata Config page: one hour.

> My intention was to be a good net citizen.

That's appreciated but in this case your concern is unfounded.

> I find that by using FilesystemMetadataProvider, if a service provider
> demands we update metadata immediately, I can do so manually, then rely
> on a 15 minute interval from FilesystemMetadataProvider to find the new
> data in short order, without having to actually redownload 10MB from you
> all throughout the day.

None of that is necessary. Just configure your IdP as documented in
the wiki and you should be good to go.

Tom