Page History

User Interface Elements in IdP Metadata

This page describes how an IdP metadata InCommon site administrator adds user interface elements to IdP metadata. These elements are used by SP implementations to enhance their user interfaces. See the section on software support for a complete list of supported applications, especially the discovery interface. As of the introduction of Baseline Expectations for Trust in Federation in 2018, all user interface elements are required, except where noted.

Contents:

Updating IdP Metadata

...

Login to the metadata administrative interface as usual. Along the left hand sideIn the SA Dashboard, click on the "Update" link next to the IdP you wish to edit in the "Existing Identity Provider Metadata Wizard," click "Edit," and then click "Add New Providers" table.  Scroll to "User Interface Elements" and click the (Edit) link. A web form to enter the new elements will appear (see screen shot to the right)..

Add and edit any needed UI elements.  When you click When you press "Save," an an <mdui:UIInfo> extension  extension element is inserted into your metadata. From that point forward, you manage these elements the same as you would any other metadata element.

User Interface Elements

...

IdP Display Name

Typically, the are optional for IdPs.IdP Display Name

...

The value of IdP Display Name inherits from the existing field will be presented on IdP discovery service interfaces. In practice, if the <mdui:DisplayName> element does not exist in metadata, applications usually fall back on the <md:OrganizationDisplayName> element in IdP metadata. Since the Federation is authoritative for the latter, the former is non-editable by the user.Typically, the value . The latter is a poor substitute for the IdP Display Name, however, since it assumes an organization deploys at most one IdP.

The <mdui:DisplayName> element is REQUIRED for all IdPs registered by InCommon. It is RECOMMENDED that the value of the <mdui:DisplayName> element be 40 characters or less.

Site administrators are encouraged to log into the Federation Manager and edit their IdP Display Name to make it easier for users to find their IdP on discovery interfaces. The InCommon RA will perform a reasonableness check on edited values of the IdP Display Name field will appear on the drop-down menu of discovery service interfaces. If the corresponding element does not exist in metadata, applications are required to fall back on the <md:OrganizationDisplayName> element. Since the two are necessarily the same in InCommon metadata, the same name will appear in the discovery interface in either case.

This element is required in InCommon metadata.

IdP Description

A brief description (140 characters or less) of the IdP service may be provided. On systems that support a pointing device (such as a mouse), the description will pop up when the user hovers over the IdP Display Name.

This element is optional in InCommon metadata but IdP operators are encouraged to supply it.

IdP Information URL

. Unreasonable values will not be accepted.

Since the Site Administrator can edit the IdP Display Name field , the ultimate responsibility for disambiguating duplicate or similar IdP Display Names rests with the Site Administrator (not the InCommon RA). To assist with this effort, we provide a current list of IdP display names in InCommon metadata as they will appear on a typical discovery interface (by that we mean a discovery interface that falls back on the <md:OrganizationDisplayName> element if the <mdui:DisplayName> element does not exist in metadata).

IdP Description

The IdP Description is a brief description of the IdP service. On a well-designed discovery interface, the IdP Description will be presented to the user in addition to the IdP Display Name, and so the IdP Description helps disambiguate duplicate or similar IdP Display Names.

It is RECOMMENDED that the value of the <mdui:Description> element be 140 characters or less.

IdP Description is optional, but recommended.

IdP Information URL

The IdP Information URL is a link to a comprehensive information page about the IdPA link to a more comprehensive information page may be provided. This page should expand on the content of the IdP Description field.

This element is optionalIdP Information URL is optional, but recommended.

IdP Privacy Statement URL

A The IdP Privacy Statement URL is a link to the IdP's Privacy Statement may be provided. This Privacy Statement should be targeted at end users.This element is optional. It is recommended that IdPs use this URL to point directly (or indirectly through another document) to the IdP's Attribute Release Process.

Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.

• https://wiki.geant.org/display/eduGAIN/How+to+write+the+Privacy+Policy
• https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers 

The CTAB provides the following ideas for what you might include: 

• If you previously provided a link to a privacy policy in your Participant Operational Practices (POP - now deprecated), provide this link for your IdP Privacy Statement URL.
• Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
  • HEISC Information Security Guide: https://spaces.at.internet2.edu/display/2014infosecurityguide/Privacy
• Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.

IdP Logo URL

The The IdP Logo URL is optional but there are applications that can leverage the corresponding element in metadata in metadata points to an image file on a remote server. A discovery service, for example, may use rely on a visual cue (i.e., a logo) instead of or in addition to the IdP Display Name, as it helps disambiguate duplicate or similar names. The logo is typically the institution's logo but may be some other institutional graphic that is readily recognizable to the institution's community members.

IdP operators are encouraged to must provide a an IdP Logo URL that satisfies the following requirements:

• the IdP Logo URL must be specified using an HTTPS URL
• the resource at the IdP Logo URL must be an unprotected image resource
• the host in the IdP Logo URL must reside in a domain owned by the IdP

...

• publicly accessible
  
  

The actual size of the logo may vary. You will be asked to enter the actual width and height of the logo (in pixels). A typical application expects a maximum height of 150 pixels, and if need be, will scale the logo proportionally based on the actual width and height entered into metadata.

Generally useful logos will have the following characteristics:

• the The logo should have a transparent background
• the logo should have a landscape orientation (width > height)
• resolve to a PNG with the MIME type image/png
• The logo should be 80 pixels in width by 60 pixels in height
• The the logo should have a minimum width of 100 pixels
• the logo should have a minimum height of 75 pixels and a maximum height of 150 pixels (or the application will scale it proportionally)

Logos that meet the minimum width and height requirements can be scaled down by the application as needed. Logos that do not meet the minimum width and height requirements may be ignored by applications.

...

• transparent background
• Contrast should be considered carefully and logos should have enough contrast to support presentation on a white background (e.g., avoid a situation where your logo could be presented as white foreground on on white background).
  

Software Support

The InCommon Federation entity information pages display the values of all user interface elements in metadata. The information pages are refreshed daily, in parallel with InCommon metadata.

...