Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] MDQ Conditional-GET Etc.

Subject: InCommon metadata support

List archive

[Metadata-Support] MDQ Conditional-GET Etc.

Chronological Thread 
  • From: Tom Poage <>
  • To: "" <>
  • Subject: [Metadata-Support] MDQ Conditional-GET Etc.
  • Date: Fri, 13 Jan 2017 01:00:29 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:u/d2PRKkQ9uWW1KqstmcpTZWNBhigK39O0sv0rFitYgfIvzxwZ3uMQTl6Ol3ixeRBMOAuq4C0LOd6PqocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDWwbal8IRmrogncuNcaipZ+J6gszRfEvmFGcPlMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLDQheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2TxDmkicHNz8i8GHXi8xwiq1brAu9qhFxx4PZb5iZOOZjcqjAed8WWHZNUtpUWyFHH4iybZYAD/AZMOhYsYfzukcOoxW9CwerBePg1jBGiXDt0K0myuQhFB3K3Aw8E94QtnnfsdX7NL0VUeCw1KTG0zLDb/ZL0jnn74jHaB8hru+RVr93bcrRx1EvFwTfgVWft4PoJC6V2fgQvGeB8epgVPmvh3Q5pA5svzii38EhgZTHiIISz1DL7yR5wIAtKN25Tk57fcCrEIFWty6EK4t6XNkuTH91tyYn0rEGuJi7czQNyJQiwh7fbPqHf5KP4hL5W+adOTh4hHN5eLK/mha96lKsxfH7Vsmx1ltBsylLksHUu3wQyRDe6dKLRuZj8ku9wzqC2R7f5vtaLUwpkafXM4MtzqAzm5YJrEjPADP6lF/rgKKUbEkp/uul5/z6brjnopKQLZF4hwHxP6g0mMGzG/o0PwYNUmWd5O+yzqfs/VfjT7VPlvA2krfWsJTdJckDva65BhNV0p495xqlEjepzMkXkmMZLFJEYxKLlZbmNEzTIPzgDPe/hUqjkCtzyvzbILHsAY/BImXdnLv9Z7pw5VBQxBAtwdxC459YErQBL+jyWk/1utzYFBg5Mwmszub7BtV9zoQeVniAAqCHK67SrEOH6f81LOmSZY8VoyzxJOY46P7zlXM5g0MSfbG13ZsLb3C1BvVmI0OFbnrrh9cBFGAKvgwkQOztkl2CXidfZ3OsUKIg/D40FZipDZvZSYy0m7yBwT+7HoVRZmBcFlCBCnPod4SfW/cQcyKePNVtkj0CVbi9VYAhzxeuuxHmy7Z5NObb5DAXtY+wnORysqfWmA07+TVoBoGGznmVSHtotmIOTDgz2ad550tnxR3Lha11n/VUHMBaouhUSh89L4L0zupxDNX3XQSHec2GHgWIWNKjVA02S5oJxNYBbg4pB9u6iRnM0gK3CLMcib2QQpE47/SPjDDKO89hxiOfh+EahF48T54WbTWr
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Two part question:

The MDQ beta server doesn't look to support conditional GET. Are there plans
to do so? Does it make sense to do so? Cf.

> 4.1. Conditional Retrieval
> Upon a successful response the responder MUST return an ETag header
> and MAY return a Last-Modified header as well. Requesters SHOULD use
> either or both, with the ETag being preferred, in any subsequent
> requests for the same resource. In the event that a resource has not
> changed since the previous request, the requester will receive a 304
> (Not Modified) status code as a response.

mdq-beta does return an ETag:

X-Application-Context: application:sign:80
Content-Language: en
Content-Type: application/samlmetadata+xml; charset=UTF-8
ETag: "fac6ce52527791497340696ca2927bdf8e618360"
Content-Length: 9453
Server: Jetty(9.2.15.v20160210)

If I try a modified procedure listed for the aggregate server:


curl -D- -o foo.xml --header 'ETag:

It downloads the file instead of returning a 304.

So here's where I'm headed:

A vendor insists on fetching only our IdP metadata (no aggregates), and
started off (against our advice) using /idp/shibboleth. Yes, self-asserted
metadata again.

I could point them to mdq-beta, though I expect this host will change some
day and, if we're not paying attention, it could break one or more apps.

I could 'poison' /idp/shibboleth, replacing the XML with a warning message.

So I thought I'd try an experiment: consider inserting the signed
MDQ-provided XML in place of our idp-metadata.xml (or whatever the
idp.entityID.metadataFile property references). Of course, the remaining
trick is to get said vendor(s) to validate the signature (until other ways of
doing this become available).

The following looks to (1) cache metadata to the file system and (2) (I
think) _not_ load it into the IdP:

<MetadataProvider id="InCommon MDQ UCDavis"

<MetadataFilter xsi:type="SignatureValidation"

certificateFile="%{idp.home}/credentials/mdq-beta-cert.pem" />
<MetadataFilter xsi:type="RequiredValidUntil"
<MetadataFilter xsi:type="EntityRoleWhiteList">
<!-- empty -->

An IdP's metadata is unlikely to change very often, so maybe updating every 6
hours (cf. cacheDuration="P0Y0M0DT6H0M0.000S" in the content) in the absence
of conditional GET is overkill.

I'm trying to figure out if this reassertion of the MDQ XML provides any
benefit vs. simply pointing the vendor(s) at mdq-beta (and keeping an eye on
developments here) vs. the same old ways of transferring the XML through some
other semi-trusted means ( folder, type it out on a slip
of paper ;-) ...).



Archive powered by MHonArc 2.6.19.

Top of Page