Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



InCommon DOES NOT serve metadata via TLS (HTTPS). This is intentional, as it discourages deployers from incorrectly trusting transport security, when document-level security is required. TLS does not provide sufficient protection against metadata tampering. InCommon and other Research and Education federations require customers to verify the XML Digital Signature at the root of metadata documents, using a public key configured for explicit trust. Federating software that cannot:

  1. Consume metadata over HTTP (NOT HTTPS)
  2. Verify the XML Digital Signature at the root of the metadata document
  3. Refresh their its copy of the metadata at least daily
  4. Configure trust relationships fully automatically based on the information contained in metadata

Is not compatible with scalable multilateral SAML federation, and SHOULD NOT BE USED with InCommon or other federations.

Please see the Metadata Consumption and Software Guidelines pages for more information.