InCommon metadata support

["Garmer, Jack - garmercj" <>]

I see, that clears it up quite a bit. Thank you Scott.

So to clarify before passing this off to my manager, signing a DCV provided by the vendor is not the same as giving them rights to our domain (i.e, DCV != Power of Attorney), correct?

On Mar 25, 2019 5:59 PM, "Cantor, Scott" <> wrote:

On 3/25/19, 5:36 PM, " on behalf of Garmer, Jack - garmercj" < on behalf of > wrote:

> From what I understand, the DCV gives authorization to create certificates using our domain, which may be a decision
> that is above my level.

Permission to register metadata containing an entityID or endpoints in a domain != permission to issue a certificate for a domain. Metadata is about binding keys and endpoints, it has nothing to do with certificates and is in fact a wholesale replacement for what they do in non-SAML trust models like browsers talking to web servers.

A certificate issuance grant is another use case for a domain authorization, but that isn't necessary for anything to do with SAML metadata.
 
> My question is: is it common practice to authorize creation of certificates and metadata on behalf of an organization by
> an outside vendor?

Most vendors don't want anything to do with InCommon unless forced, so it's certainly not common, but it does happen when necessary, and you're in a gray area when you have something on your network that would be in your DNS but somebody else is registering and managing. That's just InCommon's way of allowing it with appropriate authorization from the domain owner.

I've done at least one in recent memory.
 
-- Scott