InCommon metadata support

[Jeffrey Eaton <>]

On Feb 23, 2016, at 10:18 AM, Tom Scavo <> wrote:

On Tue, Feb 23, 2016 at 9:43 AM, Jeffrey Eaton <> wrote:

Okay, but I'm still wondering if CMU has any SPs in metadata that
require all InCommon IdPs or are all your SPs interoperating with the
CMU IdP exclusively?

Several of the SPs are definitely interacting with other InCommon SPs.  Many do not.

Okay, thanks for confirming this. Unfortunately we don't have a way
for you to indicate that in metadata. That is why I have to ask.

For the CMU SPs that interoperate with the CMU IdP only, would a
single entity descriptor help? As an example, consider this metadata
served from mdq-beta:

http://mdq-beta.incommon.org/global/entities/https%3A%2F%2Flogin.cmu.edu%2Fidp%2Fshibboleth

If we provided a production version of the above metadata, would you
find that useful?

That certainly would be preferable to consuming the full metadata file for those SPs which only need one single IDP.  I may still end up going down the path of having my own IDP metadata files signed and served locally, so that I can have various combinations of files (ones with our test IDP, ones with login.cmu.edu and identity.andrew.cmu.edu which serves as our social gateway, ones with our CS department's IDP which is not in InCommon, etc), and then let the SP choose which they want to consume.

Identifying which are which is part of the process we're doing now to determine which SPs can be pulled from InCommon.

Just to be clear, we're not asking you to remove any of your entities
from InCommon metadata. Some orgs publish their enterprise SP metadata
and some don't. It's completely up to you.

Tom

Thanks.  We may still end up pulling things out of InCommon where they don't need to be, but that will take a while.

-jeaton