One disadvantage over the the legacy aggregates is that there is not an easy, out of the box way, to tell if an entity came from the InCommon metadata bundle, because all of the entities are not grouped within an entities element in the XML. Instead, there is only one entity returned without the entities element. This can break things like attribute release policies based around releasing a certain set of attributes to all service providers in the InCommon federation. You could still look to see if an entity was registered by InCommon, but this does not help if the entity came from eduGAIN and is published by InCommon. 

Luckily, Keith Wessel (illinois.edu) from the University of Illinois has come up with a clever solution to get around this problem. This method involves adding an entity attribute to every entity from this provider. It wasn’t recommended for the file-based aggregate since all of that tagging each time the metadata was reloaded got quite expensive, but for per-entity metadata, it’s only for an individual entity each time it’s loaded.

In your metadata providers file you will be adding a couple lines to add on an attribute to the metadata provider like so:

metadata-providers.xml
    <!-- InCommon Per-Entity Metadata Distribution Service -->
    <MetadataProvider id="incommon" xsi:type="DynamicHTTPMetadataProvider"
                maxCacheDuration="86400" minCacheDuration="60">
 
                <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="%{idp.home}/credentials/inc-mdq-preview.pem" />
 
                <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
 
				<!-- lines around added an entity attribute to the entity -->
                <MetadataFilter xsi:type="EntityAttributes">
                    <saml:Attribute Name="source_of_metadata">
                                <saml:AttributeValue>incommon-mdq</saml:AttributeValue>
                    </saml:Attribute>
                    <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
                </MetadataFilter>
 				<!-- End of section -->
			
                <MetadataQueryProtocol>http://mdq-preview.incommon.org/</MetadataQueryProtocol>
    </MetadataProvider>

Then release attributes to everyone with that entity attribute. This example releases if either the new entity attribute is set or if the old metadata entity group is set for backwards compatibility with the legacy aggregates.

attribute-filter.xml
    <!--
        Release default attributes to all SPs in InCommon if requested
    -->
    <AttributeFilterPolicy id="IncommonRelease">
        <PolicyRequirementRule xsi:type="OR">
                    <Rule xsi:type="InEntityGroup" groupID="urn:mace:incommon" />
                    <Rule xsi:type="EntityAttributeExactMatch"
                                attributeName="source_of_metadata"
                                attributeValue="incommon-mdq"/>
        </PolicyRequirementRule>
 
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value"
                                value="urn:mace:dir:entitlement:common-lib-terms" ignoreCase="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonTargetedID">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="AttributeInMetadata"
                                matchIfMetadataSilent="true" onlyIfRequired="false" />
        </AttributeRule>
    </AttributeFilterPolicy>


If you did not want to have every entity tagged, you could also tag specific entities that should not  get the attributes released to them like so:

metadata-providers.xml
...
                <MetadataFilter xsi:type="EntityAttributes">
                    <saml:Attribute Name="attribute-release">
                                <saml:AttributeValue>no-default-attributes</saml:AttributeValue>
                    </saml:Attribute>
                    <Entity>https://we.dont.need.no.stinkin.attributes/shibboleth>
                    <Entity>https://another.sp.that.shouldnt.get.default.attributes/shibboleth>
                </MetadataFilter>
...

And then the filter config looks like this:

attribute-filter.xml
    <!--
        Release default attributes to all SPs in InCommon if requested
    -->
    <AttributeFilterPolicy id="IncommonRelease">
        <PolicyRequirementRule xsi:type="NOT">
                    <Rule xsi:type="EntityAttributeExactMatch"
                                attributeName="attribute-release"
                                attributeValue="no-default-attributes"/>
        </PolicyRequirementRule>
 
...


  • No labels

1 Comment

  1. You can also use RelyingPartyByTag in relying-party-xml to handle overrides that used to be handled by Group.  For example, if you use a legacy Entity ID for InCommon SPs, you can use something like this:

    <bean parent="RelyingPartyByTag" p:responderId="urn:mace:incommon:example.edu">
        <constructor-arg name="candidates">
            <list>
                <bean parent="TagCandidate" c:name="source_of_metadata" p:values="incommon-mdq"/>
            </list>
        </constructor-arg>
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO"/>
                <!-- add more profiles if desired -->
            </list>
        </property>
    </bean>