InCommon metadata support

["Wessel, Keith" <>]

Hi, Tom,

By pulling InCommon and eduGAIN metadata from the MDQ server, I simply meant 
I followed the instructions on the InCommon wiki for configuring a dynamic 
http metadata client. I did this on our test IDP.

Our test IDP, probably unwisely but historically, has a different entity ID 
and SAML cert than our production one. Sounds like, if I change this and use 
the /etc/hosts trick to send local requests to my test IDP, I can at least, 
as Scott said, kick the tires.

What I didn't realize was that folks were using this beta MDQ server in their 
production IDPs with the InCommon production aggregate as a fallback 
aggregate. I'll need to float that past a few folks around here, but that 
certainly seems like a good way to participate in the pilot. So, I think 
that's the answer I was looking for.

Thanks,
Keith


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, March 02, 2016 8:05 AM
To: 

Subject: Re: [Metadata-Support] How to test the per-entity metadata server 
from an IDP

Hi Keith,

On Tue, Mar 1, 2016 at 6:05 PM, Wessel, Keith 
<>
 wrote:
>
> I finally configured our test IDP to pull InCommon and eduGAIN metadata 
> from the MDQ server instead of the full aggregate.

Can you explain what you mean by this? (or simply post your
MetadataProvider here)

> I'd like to test this out and leave it in place for a while on our test 
> IDP. Problem is this: obviously, none of the SPs that the MDQ server knows 
> about will know about our test IDP: it's not the IDP our campus has 
> published in InCommon.

This is true of the main InCommon aggregate as well. OTOH, if you
follow our advice in the wiki [1] the published metadata for your
production IdP and your test IdP should be identical. If so, this is a
non-issue.

> And since there's no command-line tool in the IDP at this point that one 
> can use to display metadata on a given entity from the IDP's metadata 
> resolver, there's not much I can do with my new setup at all.

Yes, that would be a nice feature of the software :-) Is there a
documented RFE along these lines?

> Clearly, I'm not going to point my production IDP cluster at a service for 
> metadata when that service is considered beta.

That pretty much says it all. Since your test IdP is intended to
replace your production IdP at some point, the two should align with
respect to MetadataProvider. It's not advisable to let them diverge in
this way (or in any way).

> Any thoughts on how an IDP operator can kick the tires on the MDQ server 
> and be an active participant in the pilot?

That's a different question. As we mentioned in the message to the
participants list yesterday, we need to think about that. I'm not
exactly sure how to answer this question at this point.

Tom

[1] https://spaces.internet2.edu/x/GYtHBQ