Deployers have multiple metadata aggregates from which to choose. This page outlines available options. Policy considerations and general configuration issues are discussed on the Metadata Consumption page. Guidance on how to configure specific metadata clients is also available.
Current Status of InCommon Metadata (December 18, 2013)
The production metadata aggregate is signed using a new self-signed signing certificate (but with the same key) and a SHA-2 digest algorithm (specifically, SHA-256).
The fallback metadata aggregate is identical to the production metadata aggregate except that the fallback metadata aggregate is signed using the SHA-1 digest algorithm. On June 30, 2014, the fallback metadata aggregate will be sync'd with the production metadata aggregate.
The preview metadata aggregate is identical to the production metadata aggregate.
The legacy metadata aggregate will remain as-is until March 29, 2014, at which time an HTTP redirect from the legacy metadata aggregate to the fallback metadata aggregate will be installed.
See the Phase 1 Implementation Plan of the Metadata Distribution Working Group for more information.
Metadata Aggregates
On December 18, 2013, InCommon Operations introduced three new metadata aggregates at the following permanent HTTP locations:
- http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)
- http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview)
The new locations will ultimately replace the current HTTP location of production metadata:
Moving forward, all new metadata services will be deployed on vhost md.incommon.org
. Legacy vhost wayf.incommonfederation.org
will be phased out.
All deployments should migrate ASAP
All SAML deployments shall migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014. See the Phase 1 Implementation Plan FAQ for specific migration instructions.
Multiple metadata aggregates allows InCommon to deploy changes to metadata more quickly, easily, and safely. Metadata consumers choose exactly one of the aggregates depending on the immediate requirements of their deployment.
Availability Stability Reliability Affinity preview aggregate 24x7 experimental leading edge persistent production aggregate 24x7 stable mainstream persistent fallback aggregate 24x7 legacy trailing edge transient
Production Metadata Aggregate
In the best possible world, a deployment would configure itself to refresh its metadata store from the production metadata aggregate and that would be the end of it. The problem is that metadata aggregates are brittle by their very nature, that is, a small change to metadata may have unexpected effects downstream. If this happens, a deployment can “fall back” to a previous version of metadata that is known to be backward compatible.
Fallback Metadata Aggregate
As suggested in the previous section, the fallback metadata aggregate comes into play when a breaking change is inadvertently introduced into InCommon metadata. When a change is made to the production metadata aggregate, and that change breaks a downstream metadata process, an affected deployment can temporarily migrate to the fallback metadata aggregate. This gives the deployment time to adjust to the breaking change.
The fallback metadata aggregate is transient in the sense that backward compatibility is provided for a limited, predetermined period of time. This forces deployments to adjust to breaking changes to production metadata albeit in a controlled environment.
Preview Metadata Aggregate
Like the fallback metadata aggregate, the preview metadata aggregate helps manage the introduction of potentially breaking changes into InCommon metadata. Before such a change is deployed in production, it is first introduced in preview mode. Any issues that surface are addressed before the change is moved to production.
The preview metadata aggregate is designed for deployments on the leading edge, such as test and dev deployments. Such deployments are strongly encouraged to consume the preview metadata aggregate instead of the production metadata aggregate.
Production or Preview?
An important decision point for each deployment is whether to consume the production metadata aggregate or the preview metadata aggregate.