User Interface Elements
...
in SP Metadata
This page describes how an SP site metadata administrator adds user interface elements and requested attributes to metadata. These elements are used by IdP implementations to enhance their user interfaces. See the section on software support for a complete list of supported applications.
In a nutshell, here's what you need to do:
- Port the attribute requirements listed in your POP to metadata
- Refactor the remaining sections of your POP into a Privacy Policy targeted at the user
Complete the above steps in reverse order. First publish your Privacy Policy to a permanent location on the web. Then complete the metadata update process outlined below.
| Note | ||
|---|---|---|
| ||
Since you only have one POP, it necessarily applies to all of your SP deployments. In that sense, the granularity of the POP is not sufficient for those sites supporting multiple SPs. On the other hand, your Privacy Policy—and everything else mentioned below—refers to a single SP deployment. Hence, you should repeat the steps below for each SP under your control. Note: A Privacy Policy may be shared across SP deployments. Not all SPs have the same privacy requirements, however, so you should consider carefully the granularity that best fits your overall SP deployment. |
For the time being, leave your POP where it is despite the fact that it can now be put entirely online. InCommon is reviewing the POP in light of these (and other) developments occurring within the Federation.
Updating your Metadata
As of the introduction of Baseline Expectations for Trust in Federation in 2018, all user interface elements are required, except where noted.
Contents:
| Table of Contents | ||
|---|---|---|
|
Updating SP Metadata
Log into the Federation Manager as usual. In the SA Dashboard, click the "Update" link next to the SP you wish to edit in the "Existing Service Providers" table. Scroll to "Login to the metadata administrative interface as usual. Along the left hand side, click on the link "Service Provider Metadata Wizard," click "View, Edit, or Delete SP metadata," click "Edit," and then click "Add New User Interface Elements and Requested Attributes" and click the (Edit) link. A web form to enter the new elements will appear.
When you press Add and edit any needed UI elements. When you click "Save," both an <mdui:UIInfo> extension element and an <md:AttributeConsumingService> element (containing <md:RequestedAttribute> elements) are is inserted into your metadata. From that point forward, you manage these elements the same as you would any other metadata element.
User Interface Elements
All of the input fields below except Display Name are optional for SPs.
| Anchor | ||||
|---|---|---|---|---|
|
SP Display Name
The SP Display Name is a user friendly name for the service (not the organization). Typically, the value of the SP Display Name field will appear on login and error pages at the IdP, and also on the consent page. If the corresponding element <mdui:DisplayName> does not exist in metadata, some applications are required to fall back on the <md:OrganizationDisplayName> element, which typically does not reflect the service but rather the organization that runs the service. Such an organization may in fact run multiple SP services, so the organization name is a poor choice to use on a user interface.
This element is required in InCommon metadata.
Description
.
| Tip | ||
|---|---|---|
| ||
Choose a user friendly name for your service. Do not use a host name, and above all, do not forget to supply a Display Name since some applications fall back on the SP's |
According to the spec, the <mdui:DisplayName> element is an optional child element of the <mdui:UIInfo> extension element but InCommon SP operators are required to supply this information.
| Anchor | ||||
|---|---|---|---|---|
|
SP Description
A brief SP Description (140 A brief description (100 characters or less) of the service may be provided. On systems computers that support a pointing device (such as a mouse, e.g.), the content of this input field description will pop up when the user hovers over the SP Display Name.
This element is optional in InCommon metadata but SP operators are encouraged to supply this information.
Information URL
SP Description is optional, but recommended.
| Anchor | ||||
|---|---|---|---|---|
|
SP Information URL
The SP Information URL is used to create a link to a service information page. The content of this A link to a more comprehensive information page may be provided. This page should expand on the content of the SP Description field.
This element is optional in InCommon metadata but SP operators are encouraged to supply this information.
Privacy Statement URL
A link to the SP's Privacy Policy may be provided.
This element is optional in InCommon metadata but SP operators are strongly encouraged to supply this information.
| Warning | ||
|---|---|---|
| ||
The importance of a Privacy Policy can not be overstated. Users will be instructed to consult the SP's Privacy Policy, lack of which will cause some users to decline attribute release. |
Logo URL
. The Information URL is often presented to the user on the IdP's login page or perhaps the consent page.
SP Information URL is optional, but recommended.
| Anchor | ||||
|---|---|---|---|---|
|
SP Privacy Statement URL
The SP Privacy Statement URL is used to create a link to a Privacy Statement targeted at end users. Like the Information URL, the Privacy Statement URL is often presented to the user on the IdP's login page or consent page.
Please consider content that will be helpful to users, such as detailing the information released to each service. Here are links from GÉANT (the pan-European network) and REFEDS (the international collaboration of federation operators) with some suggestions and guidelines.
- https://wiki.geant.org/display/eduGAIN/How+to+write+the+Privacy+Policy
- https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers
The CTAB provides the following ideas for what you might include:
- If you previously provided a link to a privacy policy in your Participant Operational Practices (POP - now deprecated), provide this link for your SP Privacy Statement URL.
- Refer to privacy policies available through the EDUCAUSE Higher Education Information Security Council (HEISC):
- HEISC Information Security Guide: https://spaces.at.internet2.edu/display/2014infosecurityguide/Privacy
- Develop a web page that links to established organizational policies related to privacy and include that URL in your metadata. These policies can include data sharing, FERPA release, acceptable use policy (AUP), among others.
| Anchor | ||||
|---|---|---|---|---|
|
SP Logo URL
The SP Logo URL is a service logo for building graphical user interfaces. There This element is optional but there are applications that can leverage this element in metadata so SP operators are encouraged to provide a link to a logo that meets the following requirements. For example, a consent interface . A consent interface, for example, may use a visual cue (i.e., a logo) instead of or in addition to the SP Display Name.
SP operators are encouraged to provide an SP Logo URL that satisfies the following requirements:
- the SP Logo URL must be specified using an HTTPS URL
- the resource at the SP Logo URL must be a public image resource
- the host in the SP Logo URL must reside in a domain owned by the SP
The first two are technical requirements whereas the latter is a policy requirement. These are the only strict requirements of a SP Logo URL in metadata.
| Warning | ||
|---|---|---|
| ||
The server that serves the logo resource should be protected with an SSL/TLS certificate trusted by the browser (i.e., not a self-signed certificate), otherwise the logo may not appear on a dynamically generated web page. |
The actual size of the logo may vary. You will be asked to enter the actual width and height of the logo (in pixels). The application will select your logo (or not) A typical application expects a maximum height of 150 pixels, and if need be, will scale the logo proportionally based on the actual width and height entered into metadata.
Usable Generally useful logos will have the following characteristics:
- the logo must be specified using an HTTPS URL
- the The logo should have a transparent background
- the The logo should have a landscape orientation (width > height)the
- The logo should have an aspect ratio between 4:3 and 16:9a minimum width of 100 pixels
- The the logo should have a minimum height of 80 pixels75 pixels and a maximum height of 150 pixels (or the application will scale it proportionally)
- Contrast should be considered carefully and logos should have enough contrast to support presentation on a white background (e.g., avoid a situation where your logo could be presented as white foreground on on white background)
Logos that meet the minimum width and height requirement requirements can be scaled down by the application as needed.
Requested Attributes
Requested attributes are presented to the user on the consent page. At runtime, the user is asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.
At least one attribute is required. From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation, eduPersonEntitlement, or eduPersonScopedAffiliation, an optional Attribute Values field will appear. Enter the requested attribute value(s) (or not, as the case may be). Repeat the input process for each requested attribute.
Logos that do not meet the minimum width and height requirements may be ignored by applications.
There is no consensus as to what constitutes an optimal aspect ratio. For some applications, an aspect ratio between 4:3 and 16:9 is considered optimal. Other applications will have a page layout such that an approximate 2.5 aspect ratio is optimal. A future version of the administrative interface will accept multiple logo URLs so that sites may provide a variety of logos.Once the Save button is pressed, two <md:RequestedAttribute> elements will be inserted into metadata for every attribute chosen from the drop-down menu. One of those attributes is a SAML1 attribute while the other is a SAML2 attribute. The IdP will automatically choose one or the other depending on the runtime protocol.
| Anchor | ||||
|---|---|---|---|---|
|
Software Support
The InCommon Federation entity information pages display the values of all user interface elements in metadata. The information pages are refreshed daily, in parallel with InCommon metadata.
Shibboleth IdP 2.3 (and later) and uApprove 2.2 (and later) support the <mdui:UIInfo> element in SP metadata. If you know of other software applications that support <mdui:UIInfo>, please share this information with the community.In addition to the <mdui:UIInfo> element, uApprove 2.2 consumes the <md:AttributeConsumingService> element (containing <md:RequestedAttribute> elements) in SP metadata. The requested attributes in metadata are displayed to the user on the consent page.