InCommon metadata support

["Cantor, Scott" <>]

> Same reason as back-channel stuff tends to cause trouble, which is that
> firewalls can block that port. As well as being a problem you'd need to
fix at
> the IdP side, you need to be prepared to deal with odd firewall behaviour
at
> any location a client tries to authenticate from, where with the back
channel
> it's "only" the firewalls at SP locations.

Some browsers won't even connect by default to atypical ports, though I
think 8443 still tends to be allowed. There really is just no reason
whatsoever to play games with this.

> A minor issue is that if you ever did want the IdP to grow a back channel
for
> any reason, you'd have to go even more off the reservation as you don't
> want to run front and back channel on the same port.

That's pretty much over now, sort of. We certainly have no documentation
about it, but the IdP and SP now are both equipped to operate cleanly over
port 443 for SOAP messaging by turning on signing and encryption
automatically, at least if one accepts that as a viable security model (and
the rest of the world certainly does).

-- Scott

Attachment: smime.p7s
Description: S/MIME cryptographic signature