InCommon metadata support

[Tom Scavo <>]

[followups to 
,
 please]

Hi Abhijeet,

On Fri, Jun 27, 2014 at 5:18 AM, Abhijeet Jadhav (Fast Track Team Inc)
<>
 wrote:
>
> Currently we are using Following metadata providers.
>
> Production metadata provider: 
> http://md.incommon.org/InCommon/InCommon-metadata.xml
> Staging metadata provider       : 
> http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
>
> Do we need to take any actions? If Yes can you share detailed steps what 
> actions we need to take.

If you are saying that your deployment is consuming production
metadata, then you are good to go since production metadata is signed
using the SHA-256 digest algorithm. At this moment, the fallback
aggregate is signed using the SHA-1 digest algorithm. Any deployment
that is consuming the fallback aggregate should migrate to the
production aggregate IMMEDIATELY. This is the only way to know for
sure whether your deployment is compatible with SHA-256.

As mentioned below, the production aggregate and the fallback
aggregate will be synced on Monday, June 30th. So, regardless of the
action taken, after June 30th your deployment WILL be consuming
metadata signed using the SHA-256 digest algorithm. That's why we're
recommending you migrate NOW. Don't wait for the milestone event on
Monday.

After June 30th, NO deployments should be consuming fallback metadata.
A deployment should consume fallback metadata only when it has to,
that is, when it is unable to consume one of the other aggregates.
Consuming fallback metadata is a TEMPORARY measure while deployments
react to breaking changes in production metadata. (We don't plan to
break production metadata of course but it's good to have a fallback
if we do.) See the Metadata Aggregates page for more information:
https://spaces.internet2.edu/x/SoG8Ag

Hope this helps,

Tom

> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Scavo
> Sent: Wednesday, June 25, 2014 7:10 PM
> To: 
> 
> Subject: [InCommon NOTICE] Fwd: metadata migration in progress [ACTION 
> REQUIRED]
>
> LAST CALL: The fallback metadata aggregate will be synced with the 
> production metadata aggregate on Monday, June 30, 2014. To avoid a forced 
> migration to metadata signed with SHA-256 digest algorithm, all deployments 
> should migrate to the production metadata aggregate ASAP but no later than 
> June 30, 2014. Please see the message below for details.
>
>
> ---------- Forwarded message ----------
> From: Tom Scavo 
> <>
> Date: Mon, May 5, 2014 at 11:46 AM
> Subject: metadata migration in progress [ACTION REQUIRED]
> To: 
> 
>
>
> You are receiving this message because you are a Site Administrator for the 
> InCommon Federation. Your IMMEDIATE ACTION may be required.
>
> EVENT: On June 30, 2014, the fallback metadata aggregate will be synced 
> with the production metadata aggregate; that is, after June 30, all 
> metadata aggregates published by the InCommon Federation will be signed 
> using the SHA-256 digest algorithm.
>
> OUTCOME: All deployments must be able to verify an XML signature that uses 
> a SHA-256 digest algorithm by June 30, 2014.
>
> ACTION: If your SAML deployment is currently consuming the fallback 
> metadata aggregate, migrate to either the production metadata aggregate or 
> the preview metadata aggregate ASAP but no later than June 30, 2014.
>
> The legacy metadata aggregate was replaced by a redirect to the fallback 
> metadata aggregate on March 31, 2014. Consequently, every deployment in the 
> InCommon Federation is consuming one of the following metadata aggregates:
>
> * http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
> * http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)
> * http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview)
>
> The production and preview aggregates are signed using the SHA-256 digest 
> algorithm. The fallback aggregate is signed using the SHA-1 digest 
> algorithm.
>
> For more info about metadata aggregates: 
> https://spaces.internet2.edu/x/SoG8Ag
>
> If your SAML deployment is currently consuming the fallback metadata 
> aggregate, migrate to either the production metadata aggregate or the 
> preview metadata aggregate by June 30th. This will ensure that your 
> deployment is compatible with SHA-256. If you do not migrate, your metadata 
> consumption process may stop working on June 30th.
>
> For more info about the metadata migration process:
> https://spaces.internet2.edu/x/YYDPAg
>
> Questions? Join this mailing list:
> https://lists.incommon.org/sympa/info/metadata-support
>
> -----
> InCommon Operations