Shibboleth Developers

[Tom Scavo <>]

On 5/23/05, Howard Gilbert 
<>
 wrote:
>  
> The IdP or SP will
> ignore their own entries in the Metadata file visible to them and will
> therefore not detect discrepancies between the Metadata describing them and
> the actual configuration. 

Yes, which seems to suggest separate metadata files for the IdP and SP.

> Someone who encounters this code for the first time might imagine that if
> the Metadata file contains an entry for the IdP and is present in the IdP
> configuration that this information is used or at least checked. 

Yes, I asked that question last week.

> One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A
> single descriptor can be used for both signing and for server-TLS.

That may be true, but it's not clear by looking at the metadata
examples (or even reading the metadata spec) how to write such a
KeyDescriptor.  Indeed, it doesn't seem like the 'use' attribute is
all that 'use'ful.

> I would like to add a note that when the IdP signs elements, it uses the
> Private Key included in its Credentials configuration element, and when TLS
> is used, the Server will use the Certificate and Private Key defined by the
> Web Server configuration file. An SP will then try to match the Certificates
> in the KeyDescriptors here to the ones presented in the XML Signature or SSL
> session.

Most definitely.

Tom