shibboleth-dev - RE: [Shib-Dev] configuring a metadata file or directory
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] configuring a metadata file or directory
- Date: Wed, 25 Feb 2009 11:16:20 -0500
- Organization: The Ohio State University
Paul Hethmon wrote on 2009-02-25:
> So you see it that Shib IdP normally pulls the needed SP metadata from the
> SP (and/or other network available source)?
The latter more than the former. You get metadata from someplace you trust
and that normally has signed it. That's what federations typically do.
> Given my experience so far, my SP operators don't really have the
experience
> to manage their own metadata normally (not that I have a lot more).
Right, which is why we don't expect them to do it. You join a federation,
point at their metadata, get their signing key "somehow", and you're done.
The suggestion that was made is to rely on people to script their own
processes to download metadata into a file so that the IdP or SP can read
it. That was essentially how the old software worked, and it didn't go very
well.
> My thought has been to migrate more towards some sort of metadata
management
> system. Something that is probably driven by a web application, ties into
a
> DB for storage, and possibly ties into an SCM for actual publication of
the
> data to provide versioning.
Well, that's loosely speaking how a lot of federations work, yes. InCommon
more or less works that way.
> I've been bitten more than once by simple typos,
> especially in entityID's for some reason. I would envision something along
> the lines of some of the web based SP configuration generators, just to
> remove hand editing of configuration and metadata files.
No, hand-editing metadata is not what we're suggesting people do in
production unless they're comfortable doing that. I do it here, but I've
also written some scripts for some other people that I'll probably start
using to generate the metadata from a set of parameters.
If and when they're worked out, I'll probably make them available someplace,
but they're nothing fancy and they still require that you hand enter the
basic data.
> I guess actually
> I'm thinking more of the Shib configuration files (both IdP and SP) rather
> than the actual metadata.
Well, here's how it works...we ask for people to help write tools, nothing
happens, rinse, repeat...
-- Scott
- configuring a metadata file or directory, Tom Scavo, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Christopher A Bongaarts, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Paul Hethmon, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Paul Hethmon, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Paul Hethmon, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Paul Hethmon, 02/25/2009
- Message not available
- Re: [Shib-Dev] configuring a metadata file or directory, Tom Scavo, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Tom Scavo, 02/25/2009
- RE: [Shib-Dev] configuring a metadata file or directory, Scott Cantor, 02/25/2009
- Re: [Shib-Dev] configuring a metadata file or directory, Christopher A Bongaarts, 02/25/2009
Archive powered by MHonArc 2.6.16.