...
| Warning | ||
|---|---|---|
| ||
| An R&S IdP will carry either the incommon.org R&S tag or the refeds.org R&S tag but not both. An SP that depends on the R&S entity attribute in IdP metadata must take this fact into account. |
To configure an instance of Shibboleth SP 2.5 (and later) to restrict its discovery interface to R&S IdPs, add the following DiscoveryFilter to your MetadataProvider:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!--
As the refeds.org R&S tag becomes more prevalent, the
order of the attributes should be reversed for efficiency.
-->
<DiscoveryFilter type="Whitelist" matcher="EntityAttributes">
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</DiscoveryFilter> |
The above configuration requires Shibboleth SP v2.5 (or later). Be aware that filtering entity metadata from the discovery interface is not the same as filtering the metadata in the first place. If the latter is really what you want to do, replace the <DiscoveryFilter> with an identical <MetadataFilter> as in the previous example.
See the Shibboleth Metadata Config topic for a complete example of a MetadataProvider. The above DiscoveryFilter element may be added to that MetadataProvider.