- Created by Albert Wu (internet2.edu), last modified by Johnny Lasker on Apr 08, 2025
Retrieving InCommon Metadata as an Aggregate
What you will need:
How-tos
- How to configure a Shibboleth identity provider (IdP) to use MDQ
- How to configure a Shibboleth service provider (SP) to use MDQ
- How to configure Microsoft Entra to work with MDQ
- How to configure Okta to work with MDQ
- How to configure ADFS to work with MDQ
- How to configure CAS to work with MDQ
- How to configure other software to use MDQ
Retrieving Metadata using Per-Entity Query
What you will need:
How-tos
Announcements
4/1/25 InCommon legacy metadata retirement
Some InCommon organizations are reporting issues with their SSO. This is likely related to consumption of the legacy metadata aggregate which expired on March 31, 2025. This instance expired as part of our retirement of the legacy metadata aggregate and push to have all organizations use the MDQ service.
The affected metadata URLs include:
- InCommon Legacy SAML Metadata Aggregate (http://md.incommon.org/InCommon/InCommon-metadata.xml)
- InCommon Legacy SAML IdP-Only Metadata Aggregate (http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml)
We understand that any outage is serious and we are working to publish one more valid instance of the legacy metadata aggregate which should resolve your current issues. This instance will be valid for two weeks (expiring on 4/15/25), which means organizations will still need to move to the MDQ service before this instance expires to avoid another interruption.
If your organization operates SAML Identity Provider or Service Provider systems which are federated with InCommon for single sign-on (SSO), AND the systems rely on one of the InCommon legacy SAML metadata aggregates above, then those systems will need to be updated at your earliest convenience, to resolve future service interruptions.
Action Required
If possible, configure your SAML providers to support dynamic, per-entity metadata using the MDQ protocol. If you continue to require a metadata aggregate, configure your SAML provider(s) with the new All Entities or IdP only aggregate instead of the legacy aggregates. In either case, you will need to configure your providers to use InCommon's new signing key to verify the metadata signatures.
3/17/25 - Update on legacy metadata retirement
Publication of new legacy metadata has again been disabled. The aggregates signed today (March 17, 2025), and published in the old md.incommon.org location will expire on March 31, 2025. Please ensure all metadata clients are pointed at the new service, mdq.incommon.org, which is documented at: https://spaces.at.internet2.edu/display/mdq
3/4/25 - Update on legacy metadata retirement
InCommon had planned to retire our legacy metadata service on md.incommon.org on Tuesday, February 25, with final metadata validity scheduled for Monday, March 10th. Due to some standing issues with metadata clients, we will again start signing legacy metadata today, March 4, 2025, which means legacy metadata will be updated and valid until further notice. Our apologies for the continued delay, but it’s important that we not cause failures in production services when avoidable.
2/06/25 - Legacy Metadata Aggregate Retirement
We plan to proceed with retiring the legacy metadata aggregates on Tuesday, February 25th, 2025.
Service Impact: All services (IdP and SP) need to migrate to use the MDQ metadata service
Services at your organization that support federated single sign-on (SSO) AND currently rely on metadata sourced from the legacy metadata aggregate (http://md.incommon.org/InCommon/InCommon-metadata.xml) will need to be updated before the February date to avoid service interruptions.
To see if your organization is an InCommon Federation participant, visit: https://incommon.org/community-organizations/ and check the “Federation Participants” box.
2/03/25 - ADFSToolkit update for MDQ
We have updated the MDQ pipeline to inject the InCommon public signing key into MDQ metadata aggregates. This update addresses the ADFSToolkit issue shared in January: https://github.com/fedtools/adfstoolkit/issues/85.
We continue to plan to retire the legacy aggregates served from https://md.incommon.org soon and will communicate a date in the near future.
1/13/25 - Update on legacy aggregate retirement
We have identified an issue related to how ADFSToolkit validates MDQ data and will be delaying the retirement process for the legacy aggregate; we still plan to retire the legacy aggregates served from https://md.incommon.org soon, but we need to move the date into February or March.
We are working to address this issue and will share back an updated date once we have finalized our updates.
If you are not using ADFSToolkit currently, you are encouraged to continue with your migration efforts.
10/17/24 - Legacy Metadata Aggregate Retirement and MDQ
The InCommon legacy metadata aggregate will retire on January 20, 2025.
If your organization has a service that consumes InCommon metadata via the legacy aggregate (http://md.incommon.org/InCommon/InCommon-metadata.xml), this change affects you.
To see if your organization is an InCommon Federation participant, check here: https://incommon.org/community-organizations/
Services at your organization that support federated single sign-on (SSO) AND currently rely on metadata sourced from the legacy metadata aggregate will need to be updated before the January date to avoid service interruptions.
Please work within your organization to migrate all relevant services to retrieve metadata from MDQ well before the January date.
9/26/24 - Legacy Metadata Aggregate Retirement and MDQ
We are retiring the metadata aggregates at md.incommon.org on January 20, 2025
Please work with services in your organization to make the move to MDQ at your earliest convenience.