edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Ian Young <ian AT iay.org.uk>
- To: Peter Schober <peter.schober AT univie.ac.at>
- Cc: edugain-discuss AT geant.net, edugain-tsg AT geant.net
- Subject: Re: [eduGAIN-discuss] [eduGAIN-SG] SWAMID Identity Provider Opt-out
- Date: Fri, 14 Nov 2014 18:48:46 +0000
- List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
- List-id: eduGAIN discussion list <edugain-discuss.geant.net>
> On 14 Nov 2014, at 18:33, Peter Schober <peter.schober AT univie.ac.at> wrote:
>
> * Ian Young <ian AT iay.org.uk> [2014-11-14 12:37]:
>> That stuff isn't going to look schema-valid unless you have the WS-*
>> schema definitions available. So, it might be worth adding the
>> associated schema definitions to see if that helps.
>
> It does (as others have confirmed already), but as our documented
> MetadataProvider for the Shibboleth software unfortunately contained a
> "SchemaValidation" metadata filter[1] any IDP configured that way would
> need to (1) aquire and then (2) learn how to add arbitrary XSD schema
> files to a Shibboleth IDP install (probably adding them to the
> classpath somwhere, somehow).
Very good point. We're not republishing those entities for other reasons at
present (we have backwards compatibility issues related to number of
namespaces in scope in a document) but I think we also recommend schema
validation so that would be an issue for us as well.
Unless the Shibboleth IdP install has those already. It's not impossible, and
would be worth checking, particularly as we're closing in on the V3 release.
> So for now I have opted to removing any md:RoleDescriptor elements
> wholesale which takes care of that problem and doesn't remove any
> other functionality we care about /at this time/.
That's a good approach. I think I might do that as well, that's what we have
done with the ADFS IdP that has registered with us.
> If anyone wanted to do the same, and supports XSLT for that, a copy of
> pyFF's unsign.xml would do just fine, replacing "ds:Signature" with
> "md:RoleDescriptor":
> https://github.com/leifj/pyFF/blob/master/src/pyff/xslt/unsign.xsl
> Maybe call it unadfs.xsl for now ;)
I'm fairly sure there's a pre-defined MDA stage that will remove given role
descriptors too, for users of the Shibboleth MDA; or of course XSLT can be
used there too.
-- Ian
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Pål Axelsson, 13-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Tomasz Wolniewicz, 13-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Brook Schofield, 13-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Leif Johansson, 13-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Tomasz Wolniewicz, 14-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Mads Freek Petersen, 14-Nov-2014
- Message not available
- Message not available
- Message not available
- Re: [eduGAIN-discuss] [eduGAIN-SG] SWAMID Identity Provider Opt-out, Peter Schober, 14-Nov-2014
- Re: [eduGAIN-discuss] [eduGAIN-SG] SWAMID Identity Provider Opt-out, Ian Young, 11/14/2014
- Re: [eduGAIN-discuss] [eduGAIN-SG] SWAMID Identity Provider Opt-out, Peter Schober, 14-Nov-2014
- Message not available
- Message not available
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Brook Schofield, 13-Nov-2014
- Re: [eduGAIN-discuss] SWAMID Identity Provider Opt-out, Tomasz Wolniewicz, 13-Nov-2014
Archive powered by MHonArc 2.6.19.