InCommon metadata support

[Ian Young <>]

On 6 Dec 2016, at 20:53, Tom Poage <> wrote:

Had a question from a puzzled SP user as to why MDQ response is presented as HTML when requested from a browser.

I explained to him it may have had to do with the Accept header sent by the browser:

GET /global/entities/foo HTTP/1.1
Host: mdq-beta.incommon.org
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

The (compliant) response being:

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8

Of course, something like curl sends:

Accept: */*

So yes, that's exactly how it is being determined. The browser says it prefers text/html, and that's one of the content types the implementation knows how to render, so that is what is returned.  The content type is decided by this part of the configuration:

<!--
	Content negotiation strategy.
	* Ignore file extension and format attribute.
	* Use Accept header.
	* Default to SAML metadata.
	-->
	<property name="contentNegotiationManager">
	<bean class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
	<property name="favorPathExtension" value="false"/>
	<property name="favorParameter" value="false"/>
	<property name="ignoreAcceptHeader" value="false"/>
	<property name="defaultContentType" value="application/samlmetadata+xml"/>
	</bean>
	</property>

You can see the defaultContentType at the end there, which is used when the type isn't resolved, either because it hits a */* or in the case where no Accept header is sent.

This seemed like the best way to get something that was spec compliant and still behaved in a useful way when responding to a browser (the spec deliberately avoids talking about that case explicitly).

I briefly looked at the MDQ server source, and it didn’t immediately jump out at me, so ...

Q: Is it already possible to specify the desired format in the URL to obtain application/samlmetadata+xml?

E.g. something like

http://mdq-beta.incommon.org/global/entities/foo?format=raw

or

http://mdq-beta.incommon.org/global/entities/raw/foo

No, it's not currently possible. I intentionally suppressed the parameter handling option in the ContentNegotiationManagerFactoryBean because the spec didn't have anything like that in it.

It would be possible in principle to enable that mechanism and map something like ?format=raw to be equivalent to asking for application/samlmetadata+xml, but I'm not sure that's really what your SP user wants. The SP itself will always query with an appropriate Accept header, and if he wants to pull it manually it's a lot safer to use curl or wget than it is trusting a browser to save the file properly without breaking it in some way.

Not (necessarily) a feature request, just a question.

Hope that helps,

    -- Ian