Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
New Entities
Child pages
  • Registered By InCommon Category
Skip to end of metadata
Go to start of metadata

This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org).

Importing eduGAIN metadata into the production InCommon metadata aggregate will have at least the following consequences:

  1. Importing global IdP metadata into InCommon metadata will alter discovery interfaces across the Federation.

  2. Importing global IdP metadata into InCommon metadata will cause some SPs to automatically accept attributes from those IdPs.

  3. Importing global SP metadata into InCommon metadata will cause some IdPs to automatically release attributes to those SPs.

To address these issues, the New Entities WG proposes what amounts to a new entity category.

Preparing for eduGAIN Metadata

See the Preparing for eduGAIN Metadata topic for general uses of this new entity category. See the Applying the Registered By InCommon Category topic for specific examples.

Currently all entity descriptors in InCommon metadata were registered according to the InCommon Metadata Registration Practice Statement (which requires the organization who submitted the metadata to have signed the InCommon Participation Agreement) and therefore all entity descriptors in metadata contain the following extension element:

The RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The New Entities WG recommends that the above <mdrpi:RegistrationInfo> element be replicated as an entity attribute in metadata. The primary motivation for doing so is that entity attributes are better supported in software and so an entity attribute will help smooth the transition to interfederation.

To make the idea concrete, the proposal is to automatically convert the above extension element into something like this:

The registered-by-incommon entity attribute
<md:Extensions
    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
  <mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Attribute
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="http://macedir.org/entity-category">
      <saml:AttributeValue>
        http://id.incommon.org/category/registered-by-incommon
      </saml:AttributeValue>
    </saml:Attribute>
  </mdattr:EntityAttributes>
</md:Extensions>

and of course the conversion process would preserve any and all entity attributes that already exist in metadata.

Some important points to note:

  • In effect, the proposal is to create a new entity category called Registered By InCommon, (denoted by entity attribute value registered-by-incommon) which is precisely the meaning of the XML attribute mdrpi:RegistrationInfo/@registrationAuthority="https://incommon.org".

  • The Registered By InCommon entity category applies to both SPs and IdPs.

  • The registered-by-incommon entity attribute will not be exported to eduGAIN.

The registered-by-incommon entity attribute can be used by SPs and IdPs to mitigate the effects of importing eduGAIN entities into the InCommon production aggregate. 


  • No labels