[security-dev] The relationship between sp-metadata.xml and picketlink.xml

Adam Dong adamdong at vidder.com
Fri Nov 21 02:12:51 EST 2014


In the quickstart example on SP with metadata, the sp-metadata.xml didn't include signing key info for SP/IDP. If the signing key info is included in sp-metadata.xml for SP and IDP entity descriptiors, could picketlink code recognize that ? If yes, could I then do away with <Auth Key=... Value=...> and <ValidatingAlias Key=... Value=...> under <KeyProvider> in picketlink.xml ?

In other words, could we use picketlink.xml just for specifying handlers, and not for key info, at least not for validating key because validating key would be included under IDPEntityDescriptor in sp-metadata.xml ?

Is there any document to describe the relationship of these two files ? What if these two files have conflicting info, then which one takes precedence ?

Normally a standard-based IDP metadata is delivered in a file to SP side (and a standard-based SP metadata is delivered to IDP side), we prefer to take that file as a whole for SP to feed on it, instead of having to manually modify picketlink.xml.

Please shed some light on picketlink's capability with standard metadata and how to reconcile metadata and picketlink.xml.


More information about the security-dev mailing list