Per-Entity Metadata Working Group

[Nick Roy <>]

Nick Roy

Director of Technology and Strategy, InCommon

Internet2, Denver (GMT -6:00)

On Aug 11, 2016, at 11:15 AM, Cantor, Scott <> wrote:

The documentation says that the checks happen every 2-4 minutes.  That’s
not good enough for what Scott is asking, it seems.

Certainly depends on which 2 minutes you happen to be logging in to an SP for the first time might be, and that applies even with caching.

I understand there's no way to be perfect, but this really can't fail any more often than DNS onsite does today, and as others have noted, the difference here is that it's a system outside your network essentially hosting your sole DNS option. If we can't reach a comfort level with that, it's entirely possible we have to step back to first principles.

It's obviously true that a local layer changes this a lot, and I'm sure starting to talk myself into one, but it remains true that that's not a solution for the majority.

The "win" with endpoint-hosted is that the site that's down *is* the site that's down, obviously.

Endpoint-hosted metadata that is signed by a federation operator starts to look a lot like a SAML version of what Roland’s proposing with OpenID Connect.

Nick

-- Scott