Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] SP Requesting DCV for On Prem Software

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] SP Requesting DCV for On Prem Software

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] SP Requesting DCV for On Prem Software
  • Date: Mon, 25 Mar 2019 21:59:31 +0000

On 3/25/19, 5:36 PM, " on behalf of
Garmer, Jack - garmercj" < on behalf of
> wrote:

> From what I understand, the DCV gives authorization to create certificates
> using our domain, which may be a decision
> that is above my level.

Permission to register metadata containing an entityID or endpoints in a
domain != permission to issue a certificate for a domain. Metadata is about
binding keys and endpoints, it has nothing to do with certificates and is in
fact a wholesale replacement for what they do in non-SAML trust models like
browsers talking to web servers.

A certificate issuance grant is another use case for a domain authorization,
but that isn't necessary for anything to do with SAML metadata.

> My question is: is it common practice to authorize creation of certificates
> and metadata on behalf of an organization by
> an outside vendor?

Most vendors don't want anything to do with InCommon unless forced, so it's
certainly not common, but it does happen when necessary, and you're in a gray
area when you have something on your network that would be in your DNS but
somebody else is registering and managing. That's just InCommon's way of
allowing it with appropriate authorization from the domain owner.

I've done at least one in recent memory.

-- Scott

Archive powered by MHonArc 2.6.19.

Top of Page