Page tree
Skip to end of metadata
Go to start of metadata

Jump to: 


Delegated administration is the ability for a site administrator to delegate the duty of administering select Service Provider(SP) metadata to another person in his/her organization. This delegated role is called a Delegated Administrator. For organizations with a large number of SPs, or where the SP is operated by a departmental unit, delegated administration allows an organization to spread out the load of metadata management.

How delegated metadata administration works

  • A Site Administrator delegates the ability to administer SP metadata to a delegated administrator by providing the eduPersonPrincipalName and e-mail address of a prospective Delegated Administrator.
  • A Site Administrator uses the Delegated Administration feature in Federation Manager to assign ongoing management duties of particular SPs to a Delegated Administrator.
  • A Delegated Administrator may modify and/or delete SP entities assigned to him/her.
  • A Delegated Administrator can create new SP entity.
  • Any metadata update made by a Delegated Administrator must be approved by a Site Administrator for publication to the InCommon metadata.

Step-by-step topics

For Site Administrator:

For Delegated Administrator: 


  • A Site Administrator for an organization may not function as a Delegated Administrator for the same organization.
  • A Delegated Administrator for one organization may not function as a Delegated Administrator for another organization.
  • Assigning two Delegated Administrators to manage same entity can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.
  • A Site Administrator can not unconditionally delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a Delegated Administrator.

Access Requirements

  • The Delegated Administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to Delegated Administrators).
  • The Delegated Administrator’s IdP must support SAML V2.0 Web Browser SSO (i.e., SAML V1.1 is not supported).
  • The Delegated Administrator’s IdP must release a set of required attributes to the Federation Manager.