shibboleth-dev - Re: Scope of self
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: Scope of self
- Date: Sat, 5 Nov 2005 12:27:20 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=loTdRjBSwnsz4EtwVdqJTqeE3BUpy8Ud47qCS/uB9Znlcr8h2/nDKXu5x+bE4kD+1IonCjlcVVNhoExtJDgQxGyivVwwL8d+WCNAtzFRkTDGZ7EupKWTXsYyCtZJQiFQRvZr70IbeIVQOjiKvCkH1/qFA9q0dsYo5dOHehis0c8=
On 11/4/05, Scott Cantor
<>
wrote:
>
> > If we had
> > an automatic metadata generator, where would it get its scope value?
>
> If I was actually going to try and generate it from the configuration, I
> suppose all one could do is get it from resolver.xml.
Okay, that makes sense I guess.
> > A beta version of a metadata generator is floating around somewhere,
> > and if I recall, it computes its scope value as the tail of KeyName.
> > So in that case, the metadata IS the authoritative source, right?
>
> No, I think the generator just asks up front "what is your subdomain?" and
> uses that. I don't think it's related to any of the hostnames, but if it
> was, it would be more accurate to say that the KeyName and locations come
> from a common starting point, and maybe the scope could as well.
Well, that's what the metadata generator does right now. You type in
a fully qualified hostname and everything else is provisioned from
that (Scope, KeyName, Location, etc.).
I've thought about the metadata generator idea a little bit, in the
limited context of a GridShib IdP. Some of the metadata is easily
pulled from the underlying config (entityID, e.g.) but other metadata
elements are more difficult:
- The md:AttributeService/@Location attribute is problematic unless we
assume that ProtocolHandler/Location in the IdP config file is an
explicit location (no regex).
- Unless the SSL server cert is also used for signing, it won't be
found in IdP config file. In general, the SSL certificate chain is
referenced in the Tomcat config file. Not sure how easy/hard it would
be to pull that info from the Tomcat config.
- Like Scope, the Attribute elements might come from resolver.xml.
- All the Organization elements need to be input or hand-edited it seems.
Here's a complete list of GridShib IdP metadata requirements:
/EntityDescriptor/@entityID
/EntityDescriptor/md:Extensions/shibmd:KeyAuthority/ds:KeyInfo/ds:X509Data/ds:X509Certificate
/EntityDescriptor/md:Extensions/shibmd:Scope
/EntityDescriptor/md:AttributeAuthorityDescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate
/EntityDescriptor/md:AttributeAuthorityDescriptor/md:AttributeService/@Location
/EntityDescriptor/md:AttributeAuthorityDescriptor/saml:Attribute
/EntityDescriptor/md:Organization/md:OrganizationName
/EntityDescriptor/md:Organization/md:OrganizationDisplayName
/EntityDescriptor/md:Organization/md:OrganizationURL
/EntityDescriptor/md:Organization/md:ContactPerson/md:SurName
/EntityDescriptor/md:Organization/md:ContactPerson/md:EmailAddress
- Scope of self, Tom Scavo, 11/04/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
- Re: Scope of self, Tom Scavo, 11/04/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
- Re: Scope of self, Tom Scavo, 11/04/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
- Re: Scope of self, Tom Scavo, 11/05/2005
- Re: Scope of self, Scott Cantor, 11/05/2005
- Re: Scope of self, Tom Scavo, 11/05/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
- Re: Scope of self, Tom Scavo, 11/04/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
- Re: Scope of self, Tom Scavo, 11/04/2005
- RE: Scope of self, Scott Cantor, 11/04/2005
Archive powered by MHonArc 2.6.16.