Shibboleth Developers

[Tom Scavo <>]

On 5/24/05, Howard Gilbert 
<>
 wrote:
> > Because as you said, the IdP and SP share metadata with each other, so
> > why wouldn't the IdP's metadata be in one file and the SP's metadata
> > be in another.  It reinforces the idea that metadata files are swapped
> > and that an entity need not consume its own metadata.
> 
> In the long run, I would argue the exact opposite. Metadata is global and
> should be shared by everyone, including the Entity that it describes.

In what sense does an entity share its metadata with itself?

> However, at some point we should add sanity checks so that an entity
> consumes its own Metadata and compares it to the configuration file. An
> alarm should go off if, for example, the Private Key in Credentials cannot
> be validated against your own Certificates in the Metadata, or if an
> AttributeConsumer URL in the SP configuration isn't found in its Metadata.

Ah, I see.  Those are certainly good ideas but all the metadata need
not be in a single file for this to happen.

> However, such a sanity check is not required for correct operation, and
> right now we have more pressing matters on the queue. Just because we don't
> use it yet doesn't mean we should go out of our way to exclude it.

Putting metadata into separate files doesn't preclude any of your
useful sanity checks.

Thanks,
Tom