Shibboleth Developers

["Scott Cantor" <>]

Tom Scavo wrote on 2009-02-25:
> And every time you pull in a new one, you have to configure a new
> metadata provider and restart the server.

Former yes, latter, no, unless I'm mistaken and the IdP doesn't support
reloading the configuration now. I know it's not the default, but it is
possible.

And as I said, you cannot avoid the former with a directory-based approach
when dealing with remote sources of metadata (which also need configuration
per source for filters and verification procedures).

If the IdP required a restart, which the SP has never required, I could
imagine why this would be a problem. Though there are differing opinions
about the wisdom of doing so in production, but I'm on the "let it reload"
side of the fence.

> Once you've done
> that a few times, you figure out a workaround is to configure a
> more-or-less permanent <md:EntitiesDescriptor> element that you can
> add <md:EntityDescriptor> elements to at will. Of course that works
> fine until there's some need to re-wrap some of the existing
> <md:EntityDescriptor> elements (for whatever reason) or you join
> another federation, which requires a brand new file.

I have yet to see a need to "re-wrap" anything, so perhaps I'm not
understanding your use case. As for the latter case, again, you don't
generally load federation metadata from local files with 2.x, so monitoring
a directory would not affect that.

-- Scott