User Interface Elements in IdP Metadata
This page describes how an InCommon site administrator adds user interface elements to IdP metadata. These elements are used by SP implementations to enhance their user interfaces, especially the discovery interface. As of the introduction of Baseline Expectations for Trust in Federation in 2018, all user interface elements are required, except where noted.
Updating IdP Metadata
Login to the metadata administrative interface as usual. In the SA Dashboard, click the "Update" link next to the IdP you wish to edit in the "Existing Identity Providers" table. Scroll to "User Interface Elements" and click the (Edit) link. A web form to enter the new elements will appear.
Add and edit any needed UI elements. When you click "Save," an
<mdui:UIInfo> extension element is inserted into your metadata. From that point forward, you manage these elements the same as you would any other metadata element.
User Interface Elements
IdP Display Name
Typically, the IdP Display Name field will be presented on IdP discovery service interfaces. In practice, if the
<mdui:DisplayName> element does not exist in metadata, applications usually fall back on the
<md:OrganizationDisplayName> element. The latter is a poor substitute for the IdP Display Name, however, since it assumes an organization deploys at most one IdP.
<mdui:DisplayName> element is REQUIRED for all IdPs registered by InCommon. It is RECOMMENDED that the value of the
<mdui:DisplayName> element be 40 characters or less.
Site administrators are encouraged to log into the Federation Manager and edit their IdP Display Name to make it easier for users to find their IdP on discovery interfaces. The InCommon RA will perform a reasonableness check on edited values of the IdP Display Name. Unreasonable values will not be accepted.
Edit the IdP Display Name with care!
Since the Site Administrator can edit the IdP Display Name field , the ultimate responsibility for disambiguating duplicate or similar IdP Display Names rests with the Site Administrator (not the InCommon RA). To assist with this effort, we provide a current list of IdP display names in InCommon metadata as they will appear on a typical discovery interface (by that we mean a discovery interface that falls back on the
<md:OrganizationDisplayName> element if the
<mdui:DisplayName> element does not exist in metadata).
The IdP Description is a brief description of the IdP service. On a well-designed discovery interface, the IdP Description will be presented to the user in addition to the IdP Display Name, and so the IdP Description helps disambiguate duplicate or similar IdP Display Names.
It is RECOMMENDED that the value of the
<mdui:Description> element be 140 characters or less.
IdP Description is optional, but recommended.
IdP Information URL
The IdP Information URL is a link to a comprehensive information page about the IdP. This page should expand on the content of the IdP Description field.
IdP Information URL is optional, but recommended.
IdP Privacy Statement URL
The IdP Privacy Statement URL is a link to the IdP's Privacy Statement.
Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.
The CTAB provides the following ideas for what you might include:
- Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
- HEISC Information Security Guide: https://spaces.at.internet2.edu/display/2014infosecurityguide/Privacy
- Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.
IdP Logo URL
The IdP Logo URL in metadata points to an image file on a remote server. A discovery service, for example, may rely on a visual cue (i.e., a logo) instead of or in addition to the IdP Display Name, as it helps disambiguate duplicate or similar names. The logo is typically the institution's logo but may be some other institutional graphic that is readily recognizable to the institution's community members.
IdP operators must provide an IdP Logo URL that satisfies the following requirements:
- the IdP Logo URL must be specified using an HTTPS URL
- the resource at the IdP Logo URL must be publicly accessible
Logo HTTPS URL
The server that serves the logo resource MUST be protected with an TLS certificate trusted by the browser (i.e., not a self-signed certificate), otherwise the logo may not appear on a dynamically generated web page.
The actual size of the logo may vary. You will be asked to enter the actual width and height of the logo (in pixels). A typical application expects a maximum height of 150 pixels, and if need be, will scale the logo proportionally based on the actual width and height entered into metadata.
Generally useful logos will have the following characteristics:
- The logo should resolve to a PNG with the MIME type image/png
- The logo should be 80 pixels in width by 60 pixels in height
- The logo should have a transparent background
- Contrast should be considered carefully and logos should have enough contrast to support presentation on a white background (e.g., avoid a situation where your logo could be presented as white foreground on on white background).
The InCommon Federation entity information pages display the values of all user interface elements in metadata. The information pages are refreshed daily, in parallel with InCommon metadata.
To our knowledge, the only application that supports the
<mdui:UIInfo> extension element in IdP metadata is the Shibboleth Embedded Discovery Service. If you know of other software applications that support
<mdui:UIInfo>, please share this information with the community.