Shibboleth Developers

["Scott Cantor" <>]

> For my own edification -- why is it necessary for it to appear there in 
> this metadata but not in that generated by InQueue?

Because InQueue uses path validation, which means the only requirement is
for a KeyName to appear. In the case of SSL, the KeyName is implicit in the
Location being queried, it's the hostname. In my case, the actual checking
is even performed for me by the SSL client code, I don't actually check it
myself.

I did not allow for a case where you name a Key in metadata, but the name
doesn't match the SSL hostname. That would have been possible but confusing
because it violates expectations of how HTTP over SSL works, and would
potentially not even be supported by other SAML products that are less
exotically implemented than Shibboleth.

If an AA is going to sign things, you would need a KeyName explicitly, as
the IdP descriptor does.

> My next question: if I want to properly extend this to generate a 
> bilateral set of metadata from a single form which could be the entire 
> .XML document, for self-contained test environments and simple 
> generation of bilateral agreement metadata, is example-metadata.xml a 
> good thing to closely emulate?  Is there anything else I need to ask 
> about?

Yes, but Tom and I have disagreed at times about whether it's a good idea to
put both decsriptors in one document. In this case, I'd tend to agree with
him, it's best to keep the two separate so that each is a stand-alone
document.

Bilateral implies two-ness. It's not one step, it's two independent entities
each performing this step and then giving their partner the result.

-- Scott