...
SPs typically leverage entity attributes up front when metadata is consumed. The registered-by-incommon
entity attribute may be used to customize the discovery interface, or in some special circumstances, to filter metadata altogether.
See the Shibboleth Metadata Config topic for a complete example of a MetadataProvider
. At most one of the following MetadataFilter
elements may be added to that MetadataProvider
.
Filtering Untrusted Metadata
...
Customizing Discovery Interfaces
Here's a complete metadata configuration with a customized discovery interfaceTo show all IdPs with the registered-by-incommon
entity attribute, add the following MetadataFilter
to your SP's MetadataProvider
:
Code Block | |||||
---|---|---|---|---|---|
| |||||
<!-- <!-- The following MetadataProvider refreshes the main InCommon aggregate. --> <MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600"> <!-- Verify the signature on the metadata file --> <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/> <!-- Consume all IdP metadata in the aggregate --> <MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole> </MetadataFilter> <!-- Show all IdPs with the registered-by-incommon entity attribute --> <DiscoveryFilter type="Whitelist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://id.incommon.org/category/registered-by-incommon"/> <!-- Hide all IdPs with the hide-from-discovery entity attribute --> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery"/> </MetadataProvider> |
Keep in mind that hiding an IdP from the discovery interface does not prevent the SP from accepting an assertion from that IdP.