An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Valeriu Vraciu <valeriu AT roedu.net> [2019-09-18 10:23]:
> It was a signature from the IdP, so now it is removed from metadata
> aggregate. If there are any other issues related to RoEduNetID please
> contact, for sure there are some (the same IdP has an expired
> certificate, we are working with ULBSIBIU to solve this - should we
> remove IdP information from aggregate ? although validation tool gives
> just a warning).

Now that the offending Signature element is gone from your upstream feed
https://sp.roedu.net/roedunetid-metadata-idp-signed.xml
there's no need to remove the whole IDP entity. We just have to wait
until the MDS picks up those changes and republish the changes
downsteam ourselfs asap.

But that IDP should not merely renew the certificate they embedded
into their metadata, instead they should replace it with a long-lived,
self-signed certificate.
(I.e., the "error" IMO is re-using the HTTPS/TLS certificate for SAML
purposes where completely different rules apply, mostly by not being
applied at all, such as X.509 path validation or expiration or even
Subject and Issuer checks).
See https://wiki.oasis-open.org/security/SAML2MetadataIOP for the
formal write-up of that trust model.

-peter