Shibboleth Developers

["Scott Cantor" <>]

> Let me know if this is what you were looking for or have any ideas how 
> to improve it.  It's quick and dirty, but really pretty neat.

Some comments:

I'd be inclined to only deal with the case where a certificate is included
with the submission. This should illustrate only the basic case because
without the KeyAuthority, it's not clear how anybody would work with it. So
I'd make that field required and just talk about the fact that any
certificate could be used, etc. Its subject is then irrelevant. Plus which,
nobody out there (speaking generally) is equipped to deal with PKI anyway,
and this will result in fewer questions.

With that change, you can get rid of the openssl example command and just
not even talk about that. We only need the hostname so we can generate the
locations.

I'd also be inclined to say you should generate this as a completely legal
XML document with namespaces declared as needed (and use shibmd for the Shib
extension namespace, for consistency with everything else). You should not
include a schemaLocation, of course. You should probably also include a
validUntil datetime in the root element set to something far off in the
future.

I think the idea here would be to say "just give this to your partner so he
can add the file in as a MetadataProvider" rather than dealing with the
EntitiesDescriptor idea. People can come to figure that in some other way.

You could maybe provide a pointer to instructions in the Wiki (yet to be
written ;-) on how to sign the file with metadatatool, which is only
possible right now if you download the IdP distribution. Probably will start
including some Java tools in the next SP release.

-- Scott