Best practice for utilising signed metadata

["Ben Yeoman" <Ben.Yeoman@Fronde.com>]

Hi All

 

I'm currently working on behalf of the New Zealand Government, producing a standard for implementations of SAML 2.0.  We are hoping that you can provide your expertise on this topic for inclusion into the standard.  I have a number of queries around the circumstances in which signed metadata could be appropriate and how it could be used. These are described below.

When metadata is generated by a vendor product and then signed as currently recommended in NZSAMS. A mismatch can occur when metadata elements optional according to the metadata specification, but mandatory within NZSAMS are not contained within the generated metadata.  The missing metadata  elements  cannot be added manually after metadata generation, as signature verification of the metadata would fail.  This scenario could occur when SAML implementations do not generate metadata with all the NZSAMS required elements and attributes.

My questions are

• What benefits are gained by exchanging signed metadata.  Is the main purpose of signed metadata for publication by a uncontrolled mechanism  i.e. published on the internet
• What level of support is available from SAML implementations for signed metadata.?
• Is the manual correction of metadata after generation an acceptable practice?
• If metadata is exchanged by an 'out-of-band' controlled process, would signature verification be necessary?

 

Thanks in advance for any assistance you can provide

Ben Yeoman

Fronde

Working on behalf of the New Zealand State Services Commission