Federation members (RPs and CSPs) only need to produce new metadata once every few years. Under the current process, the onus is on federation members to produce and digitally sign CATS-compliant metadata, and then submit it to Shared Services Canada (SSC) for review and distribution.
Federation members only produce new metadata every couple of years, making it very difficult to remember how to produce "perfect" metadata on the first try. More often than not, there are problems with the metadata that need to be corrected before it can be accepted. This causes a lot of wasteful back-and-forth interaction between the federation member and SSC.
I propose a change to the process so that SSC, as federation operator, would take care of signing the metadata. This has a number of benefits:
SSC could make any minor corrections to the metadata needed to make it CATS-compliant. The SSC team deals with SAML metadata on a regular basis so there is no problem remembering how to do it.
Having SSC sign the metadata provides a better indication of trust and authenticity compared to the current practice of using "self-signed" metadata.
Federation members (RPs and CSPs) only need to produce new metadata once every few years. Under the current process, the onus is on federation members to produce and digitally sign CATS-compliant metadata, and then submit it to Shared Services Canada (SSC) for review and distribution.
Federation members only produce new metadata every couple of years, making it very difficult to remember how to produce "perfect" metadata on the first try. More often than not, there are problems with the metadata that need to be corrected before it can be accepted. This causes a lot of wasteful back-and-forth interaction between the federation member and SSC.
I propose a change to the process so that SSC, as federation operator, would take care of signing the metadata. This has a number of benefits: