The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



Uniform Resource Names as Entity IDs

The use of Uniform Resource Names (URNs) as entity IDs in the InCommon Federation is NOT RECOMMENDED. If an URN is used, the URN namespace MUST be owned by (or delegated to) the organization, that is, the organization MUST document the existence of a valid authorization chain rooted in a namespace listed in the Official IANA Registry of URN Namespaces.

To illustrate, suppose Internet2 submitted SP metadata with entity ID:

urn:mace:incommon:internet2.edu:sp

This particular entity ID would be acceptable since:

  1. The urn:mace namespace is registered with IANA.
  2. InCommon is authorized by MACE to use the urn:mace:incommon namespace.
  3. Internet2 is authorized by InCommon to use the urn:mace:incommon:internet2.edu namespace (by virtue of the fact that the latter appears in metadata signed by InCommon Operations).

Therefore the entity ID shown above is valid since there exists a valid authorization chain rooted in an official registered namespace (urn:mace).

Historical Note

Historically, InCommon assigned an URN to all new IdPs, based on the IdP's primary DNS domain name:

A legacy IdP entityID in InCommon metadata
<EntityDescriptor entityID="urn:mace:incommon:example.edu">

However, InCommon no longer issues URNs to IdPs and instead strongly encourages the use of URLs instead. Type the following commands to produce lists of URN-based entityIDs in InCommon metadata:

URN-based entityIDs in InCommon metadata
# fetch InCommon metadata
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml
$ MD_PATH=/tmp/md/InCommon-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2016 12:47:37 GMT
Server: Apache
Last-Modified: Thu, 21 Apr 2016 18:59:30 GMT
ETag: "110328-208d373-531034f616880"
Accept-Ranges: bytes
Content-Length: 34132851
Connection: close
Content-Type: application/samlmetadata+xml
 
# count the legacy URN-based entityIDs issued to InCommon entities
$ cat $MD_PATH \
  | grep -E ' entityID="urn:mace:incommon:[^"]+"' \
  | sed -e 's/^.* entityID="\(urn:mace:incommon:[^"]*\)".*$/\1/' \
  | wc -l 
      77
 
# count all the URN-based entityIDs in InCommon metadata,
# including entities registered by other federations
$ cat $MD_PATH \
  | grep -F ' entityID="urn:' \
  | sed -e 's/^.* entityID="\([^"]*\)".*$/\1/' \
  | wc -l 
      106

Simply omit the last command in the pipe (wc) to produce the actual list, or better yet, view a pre-computed list of URN-based entityIDs in InCommon metadata.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels