Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Deployers have multiple metadata aggregates from which to choose. This page outlines available options. Policy considerations and general configuration issues are discussed on the Metadata Consumption page. Guidance on how to configure specific Metadata Client Software is available elsewhere in this wiki.

Warning

InCommon DOES NOT serve metadata via TLS (HTTPS). This is intentional, as it discourages deployers from incorrectly trusting transport security, when document-level security is required. TLS does not provide sufficient protection against metadata tampering. InCommon and other Research and Education federations require customers to verify the XML Digital Signature at the root of metadata documents, using a public key configured for explicit trust. Federating software that cannot:

  1. Consume metadata over HTTP (NOT HTTPS)
  2. Verify the XML Digital Signature at the root of the metadata document
  3. Refresh its copy of the metadata at least daily
  4. Configure trust relationships fully automatically based on the information contained in metadata
  5. Support all of the MUSTs in the Kantara SAML v2.0 Implementation Profile for Federation Interoperability

Is not compatible with scalable multilateral SAML federation, and SHOULD NOT BE USED with InCommon or other federations.

Please see the Metadata Consumption and Software Guidelines pages for more information.

Note

All aggregates listed below are production-quality metadata aggregates.

...

Note

As of January 31, 2018, you may also use TLS (https) to download the aggregates noted above. You are strongly advised not to depend solely on TLS for the security of your metadata downloads, and to continue the critical practice of verifying the signature on metadata according to the instructions on the Metadata Consumption page.


All metadata aggregates are signed using the same metadata signing key and the SHA-256 digest algorithm. To verify the signature on an aggregate, a consumer must obtain an authentic copy of the InCommon Metadata Signing Certificate.

...

Table Plus
columnAttributesstyle="padding-left:1em;text-align:right;,style="padding-left:1em;padding-right:1em;text-align:center;,style="padding-left:1em;padding-right:1em;text-align:center;,style="padding-left:1em;padding-right:1em;text-align:center;",style="padding-left:1em;padding-right:1em;text-align:center;"


 

Availability

Stability

Reliability

Affinity

Preview Aggregate

24x7

experimental

leading edge

persistent

Main Aggregate

24x7

stable

mainstream

persistent

Fallback Aggregate

24x7

legacy

trailing edge

transient

...

The Fallback Aggregate is transient in the sense that backward compatibility is provided for a limited, predetermined period of time. This forces deployments to adjust to breaking changes to metadata albeit in a controlled environment.