InCommon metadata support

["Wessel, Keith" <>]

Thanks, Tom. Good to know that I'm living on the edge. :) As I think I 
discussed previously on one list or another, there's not a lot one can do 
with MDQ testing as an IDP operator at this point except for locally by 
changing my /etc/hosts to redirect IDP traffic to my test IDP cluster. But 
that's better than nothing.

Keith


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Tuesday, September 06, 2016 3:06 PM
To: 

Subject: Re: [Metadata-Support] The per-entity metadata pilot and the 
requireSignedMetadata attribute

Hi Keith,

On Tue, Sep 6, 2016 at 2:59 PM, Wessel, Keith 
<>
 wrote:
>
> I have my test IDP cluster querying metadata from the InCommon MDQ server.

Note that mdq-beta.incommon.org imports metadata from the InCommon
preview aggregate so that's a fine use of this beta MDQ server.

> I configured the IDP using the instructions on 
> https://spaces.internet2.edu/display/InCCollaborate/Dynamic+Metadata+Client+Config#DynamicMetadataClientConfig-ShibbolethIdPConfiguration.

AFAIK, you are the first one to test that configuration, Keith. Thank
you for venturing to the leading edge :-)

> However, my IDP has reminded me evern since I did this that the 
> requireSignedMetadata attribute of the signature validation filter is 
> deprecated.

Oops, apparently I overlooked that.

> Is it syntactically correct to use the new requireSignedRoot attribute in 
> this configuration instead?

Yes, I think so (but I don't know if it's ever been tried).

> I'm not sure if metadata coming back from the MDQ server has a signed root.

The root element is <md:EntityDescriptor> and yes, it is signed.

> I would expect it would but wanted to know for sure. If so, it might be 
> good to update that wiki page.

I will do that, thanks. Be sure to let us know if you discover anything else.

Thanks Keith.

Tom