metadata-support - Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute
Subject: InCommon metadata support
List archive
Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute
Chronological Thread
- From: Tom Scavo <>
- To: "" <>
- Subject: Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute
- Date: Tue, 6 Sep 2016 17:39:23 -0400
- Ironport-phdr: 9a23:Ho9FoBIIIxy9MPRI8tmcpTZWNBhigK39O0sv0rFitYgUKv/xwZ3uMQTl6Ol3ixeRBMOAtKIC1rGd6v2ocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TXhpQIVT1/6OBZ8Ku3pE8vJktyv0Pqu05zVaAJNgT27J7RoI1/++QDcqsAaiJdrb70s0gPOuGdgeuJdwmZtIlTVmAzzsJSe5plmphhXvroa/MdeVu2uY74jRrVGCxwnNXw4/svmqUOFQAeSsChPGl4KmwZFVlCWpCrxWY3853P3
On Tue, Sep 6, 2016 at 5:27 PM, Wessel, Keith
<>
wrote:
> Thanks, Tom. Good to know that I'm living on the edge. :)
That's the place to be! :-)
> As I think I discussed previously on one list or another, there's not a lot
> one can do with MDQ testing as an IDP operator at this point except for
> locally by changing my /etc/hosts to redirect IDP traffic to my test IDP
> cluster. But that's better than nothing.
Agreed, and thank you for being creative about this.
FYI, there have been developments on the per-entity metadata front.
For instance, the Shibboleth Metadata Aggregator is now able to
produce signed per-entity metadata. [1] I'll let Ian comment further.
Tom
[1] https://issues.shibboleth.net/jira/browse/MDA-76
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom Scavo
> Sent: Tuesday, September 06, 2016 3:06 PM
> To:
>
> Subject: Re: [Metadata-Support] The per-entity metadata pilot and the
> requireSignedMetadata attribute
>
> Hi Keith,
>
> On Tue, Sep 6, 2016 at 2:59 PM, Wessel, Keith
> <>
> wrote:
>>
>> I have my test IDP cluster querying metadata from the InCommon MDQ server.
>
> Note that mdq-beta.incommon.org imports metadata from the InCommon
> preview aggregate so that's a fine use of this beta MDQ server.
>
>> I configured the IDP using the instructions on
>> https://spaces.internet2.edu/display/InCCollaborate/Dynamic+Metadata+Client+Config#DynamicMetadataClientConfig-ShibbolethIdPConfiguration.
>
> AFAIK, you are the first one to test that configuration, Keith. Thank
> you for venturing to the leading edge :-)
>
>> However, my IDP has reminded me evern since I did this that the
>> requireSignedMetadata attribute of the signature validation filter is
>> deprecated.
>
> Oops, apparently I overlooked that.
>
>> Is it syntactically correct to use the new requireSignedRoot attribute in
>> this configuration instead?
>
> Yes, I think so (but I don't know if it's ever been tried).
>
>> I'm not sure if metadata coming back from the MDQ server has a signed root.
>
> The root element is <md:EntityDescriptor> and yes, it is signed.
>
>> I would expect it would but wanted to know for sure. If so, it might be
>> good to update that wiki page.
>
> I will do that, thanks. Be sure to let us know if you discover anything
> else.
>
> Thanks Keith.
>
> Tom
- [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Wessel, Keith, 09/06/2016
- Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Tom Scavo, 09/06/2016
- RE: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Wessel, Keith, 09/06/2016
- Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Tom Scavo, 09/06/2016
- RE: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Wessel, Keith, 09/06/2016
- Re: [Metadata-Support] The per-entity metadata pilot and the requireSignedMetadata attribute, Tom Scavo, 09/06/2016
Archive powered by MHonArc 2.6.19.