shibboleth-dev - [IdPv3] Metadata Provider Work
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: [IdPv3] Metadata Provider Work
- Date: Wed, 16 Jun 2010 09:54:20 -0400
- Organization: Itumi, LLC
STOP! Before reading the main contents of this email please be sure you have read this:
http://groups.google.com/group/shibboleth-dev/browse_thread/thread/1fcab032218f8ffb
Also, please read the following email describing the changes that have already been added and will be available with release 2.2:
http://groups.google.com/group/shibboleth-dev/browse_thread/thread/b5378e7cbbfbf1a0
This email deals with the metadata providers for the IdP. These components are configured by the <MetadataProvider> elements, and their children, in the relying-party.xml file.
Following are the things I currently plan to change/add:
- The chaining metadata provider and metadata filter will no longer be required as a container element for multiple instances of those things.
- HTTP and File-backed HTTP provider will be merged in to one
- As with the current SP additional, more stringent, data checks on the loaded metadata will be added to ensure there are not, for example, empty string endpoint URLs. These will always be on.
- The signature validation filter will have options that allow the specification of public keys, certs, and CRLs instead of requiring a separate trust engine to be defined (though that will still be supported)
- Provide, as performance metrics, total metadata load time (per-provider), metadata fetch time (for external resources), per-filter processing time
- During metadata loading KeyInfo information will be read in to internal data structures ready for use with the IdP's trust engines. Currently a fair amount of time is spent doing this and while there is a cache for it, it turned out to be at the wrong level and not everything can take advantage of it.
- A check for multiple entity IDs, coming from different sources, will be added with the option of ignoring this (as is done implicitly today) or treating it as an error. In either case information will be written to the log file to indicate that this has happened.
- EntityRoleWhitelist filter will be expanded to support the white/blacklisting of entities and removal of organization and contact person
Currently there are no options that I'm considering but not yet decided on, nor options that I considered but decided against.
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [IdPv3] Metadata Provider Work, Chad La Joie, 06/16/2010
- RE: [Shib-Dev] [IdPv3] Metadata Provider Work, Scott Cantor, 06/16/2010
- Re: [Shib-Dev] [IdPv3] Metadata Provider Work, Chad La Joie, 06/17/2010
- RE: [Shib-Dev] [IdPv3] Metadata Provider Work, Scott Cantor, 06/16/2010
Archive powered by MHonArc 2.6.16.