Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



InCommon DOES NOT serve metadata via TLS (HTTPS). This is intentional, as it discourages deployers from incorrectly trusting transport security, when document-level security is required. TLS does not provide sufficient protection against metadata tampering. InCommon and other Research and Education federations require customers to verify the XML Digital Signature at the root of metadata documents, using a public key configured for explicit trust. Federating software that cannot:

  1. Consume metadata over HTTP (NOT HTTPS)
  2. Verify the XML Digital Signature at the root of the metadata document
  3. Refresh its copy of the metadata at least daily
  4. Configure trust relationships fully automatically based on the information contained in metadata
  5. Support all of the MUSTs in the Kantara SAML v2.0 Implementation Profile for Federation Interoperability

Is not compatible with scalable multilateral SAML federation, and SHOULD NOT BE USED with InCommon or other federations.

Please see the Metadata Consumption and Software Guidelines pages for more information.