Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Child pages
  • Entity Attributes
Skip to end of metadata
Go to start of metadata

An entity attribute is a SAML attribute associated with a SAML entity (an identity provider or a service provider) in metadata. For example, an entity ID is a distinguished entity attribute associated with every SAML entity in metadata.

Like user attributes, entity attributes serve to label, categorize, and distinguish a particular entity in metadata. Some entity attributes are self-asserted while others are asserted by 3rd parties on behalf of the entity. For instance, a federation operator uses entity attributes to "tag" entities in metadata.

Example

Here is an example of an entity attribute you might find in InCommon metadata:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

In this case, the name of the attribute is http://macedir.org/entity-category and its value is http://id.incommon.org/category/research-and-scholarship. Like all SAML attributes, an entity attribute may be single-valued or multi-valued. (As it turns out, the above entity attribute is multi-valued.)

Uses

Entity attributes are extremely useful. Operationally, entity attributes are used in policy configurations in lieu of entity IDs. The advantages of doing so are overwhelmingly positive.

Entity attributes are also used to refine the discovery interface. For example, an SP can use a particular entity attribute to filter the list of IdPs presented to the user.

See Entity Categories for more information about InCommon-supported entity attributes that can be used for these purposes.

  • No labels