Versions Compared

Old Version 15

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user David Walker (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

User Interface Elements in IdP Metadata

This page describes how an IdP InCommon site administrator adds user interface elements to IdP metadata. These elements are used by SP implementations to enhance their user interfaces. See the section on software support for a complete list of supported applications., especially the discovery interface. As of the introduction of Baseline Expectations for Trust in Federation in 2018, all user interface elements are required, except where noted.

Contents:

Table of Contents
minLevel3

Updating

...

IdP Metadata

Login to the metadata administrative interface as usual. Along the left hand sideIn the SA Dashboard, click on the "Update" link next to the IdP you wish to edit in the "Existing Identity Provider Metadata Wizard," click "Edit," and then click "Add New Providers" table.  Scroll to "User Interface Elements" and click the (Edit) link. A web form to enter the new elements will appear.

When you press Add and edit any needed UI elements.  When you click "Save," an an <mdui:UIInfo> extension  extension element is inserted into your metadata. From that point forward, you manage these elements the same as you would any other metadata element.

User Interface Elements

...

IdP Display Name

...

Display Name

Typically, the IdP Display Name field will be presented on IdP discovery service interfaces. In practice, if the <mdui:DisplayName> element does not exist in metadata, applications usually fall back on the The value of this input field inherits from the existing <md:OrganizationDisplayName> element in IdP metadata. Since the Federation is authoritative for the latter, the former is non-editable by the user.

Typically, the value of the Display Name field will appear on the drop-down menu of discovery service interfaces. If the corresponding element does not exist in metadata, applications are required to fall back on the <md:OrganizationDisplayName> element. Since the two are necessarily the same in InCommon metadata, the same name will appear in the discovery interface in either case.

This element is required in InCommon metadata.

Description

A brief description (100 characters or less) of the IdP service may be provided. On systems that support a pointing device (such as a mouse), the content of this input field will pop up when the user hovers over the Display Name.

This element is optional in InCommon metadata but IdP operators are encouraged to supply it.

Information URL

. The latter is a poor substitute for the IdP Display Name, however, since it assumes an organization deploys at most one IdP.

The <mdui:DisplayName> element is REQUIRED for all IdPs registered by InCommon. It is RECOMMENDED that the value of the <mdui:DisplayName> element be 40 characters or less.

Site administrators are encouraged to log into the Federation Manager and edit their IdP Display Name to make it easier for users to find their IdP on discovery interfaces. The InCommon RA will perform a reasonableness check on edited values of the IdP Display Name. Unreasonable values will not be accepted.

Warning
titleEdit the IdP Display Name with care!
Edit the user-facing IdP Display Name with care. To avoid duplicates and other anomalies on discovery interfaces, browse the complete list of IdP display names in InCommon metadata before changing your IdP Display Name.

Since the Site Administrator can edit the IdP Display Name field , the ultimate responsibility for disambiguating duplicate or similar IdP Display Names rests with the Site Administrator (not the InCommon RA). To assist with this effort, we provide a current list of IdP display names in InCommon metadata as they will appear on a typical discovery interface (by that we mean a discovery interface that falls back on the <md:OrganizationDisplayName> element if the <mdui:DisplayName> element does not exist in metadata).

IdP Description

The IdP Description is a brief description of the IdP service. On a well-designed discovery interface, the IdP Description will be presented to the user in addition to the IdP Display Name, and so the IdP Description helps disambiguate duplicate or similar IdP Display Names.

It is RECOMMENDED that the value of the <mdui:Description> element be 140 characters or less.

IdP Description is optional, but recommended.

IdP Information URL

The IdP Information URL is a link to a comprehensive information page about the IdPA link to a more comprehensive information page may be provided. This page should expand on the content of the IdP Description field.

This element is optional. There are no known applications that can leverage this element in metadata.

IdP Information URL is optional, but recommended.

IdP Privacy Statement URL

A The IdP Privacy Statement URL is a link to the IdP's Privacy Statement.

Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.

...

The CTAB provides the following ideas for what you might include: 

  • If you previously provided a link to a privacy policy in your Participant Operational Practices (POP - now deprecated), provide this link for your IdP Privacy Statement URL.
  • Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
  • Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.

Anchor
logo
logo

IdP Logo URL

The IdP Logo URL in metadata points to an image file on a remote server. A discovery service, for example, may rely on

This element is optional. There are no known applications that can leverage this element in metadata.

Logo URL

This element is optional but there are applications that can leverage this element in metadata so IdP operators are encouraged to provide a link to a logo that meets the following requirements. For example, a discovery service may use a visual cue (i.e., a logo) instead of or in addition to the IdP Display Name, as it helps disambiguate duplicate or similar names. The logo is typically the institution's logo but may be some other institutional graphic that is readily recognizable to the institution's community members.

IdP operators must provide an IdP Logo URL that satisfies the following requirements:

  • the IdP Logo URL must be specified using an HTTPS URL
  • the resource at the IdP Logo URL must be publicly accessible

Warning
titleLogo HTTPS URL

The server that serves the logo resource MUST be protected with an TLS certificate trusted by the browser (i.e., not a self-signed certificate), otherwise the logo may not appear on a dynamically generated web page.

The actual size of the logo may vary. You will be asked to enter the actual width and height of the logo (in pixels). The application will select your logo (or not) A typical application expects a maximum height of 150 pixels, and if need be, will scale the logo proportionally based on the actual width and height entered into metadata.

Usable Generally useful logos will have the following characteristics:

  • The logo should resolve to a PNG with the MIME type image/png
  • The logo should be 80 pixels in width by 60 pixels in height
  • The logo must be specified using an HTTPS URLthe logo should have a transparent backgroundthe logo
  • Contrast should be considered carefully and logos should have a landscape orientation (width > height)
  • the logo should have an aspect ratio between 4:3 and 16:9
  • the logo should have a minimum width of 100 pixels
  • the logo should have a minimum height of 75 pixels

...

  • enough contrast to support presentation on a white background (e.g., avoid a situation where your logo could be presented as white foreground on on white background).

Anchor
software
software

Software Support

The InCommon Federation entity information pages display the values of all user interface elements in metadata. The information pages are refreshed daily, in parallel with InCommon metadata.

To our knowledge, the only application that supports the <mdui:UIInfo> extension element in IdP metadata is the Shibboleth Embedded Discovery Service. If you know of other software applications that support <mdui:UIInfo>, please share this information with the community.