...
- Filter all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Entities so marked must come from primary sources only.
- Filter all entities with an entityID that does not begin with one of the following prefixes: “http://”, “https://”, “urn:mace”
- Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
- Filter all
<mdui:Logo>
elements (not entities) with a URL that is not HTTPS-protected. - Filter all imported entities with weak keys
- The use of weak keys in metadata has security and privacy implications.
- There are no weak keys in InCommon metadata and so we'd like to keep it that way.
- Filter all imported IdP entities with a faulty
<shibmd:Scope>
element- Disallow
<shibmd:Scope regexp="true">
- Disallow
- Filter all imported IdP entities with an endpoint location that is not HTTPS-protected
- Filter all imported IdP entities that do not have a SAML2
SingleSignOnService
endpoint that supports the HTTP-Redirect binding.- In effect, all imported IdPs must support SAML2.
- Filter all imported SP entities that do not have at least one SAML2
AssertionConsumerService
endpoint that supports the HTTP-POST binding.- In effect, all imported SPs must support SAML2.
- Filter all imported entities that have the same
entityID
as an existing entity in the InCommon aggregate.- This happens because some SPs choose to join multiple federations.
- Dozens of global SPs are filtered by this rule.
...