Versions Compared

Old Version 19

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 20

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

User Interface Elements

...

in SP Metadata

This page describes how an SP site administrator adds user interface elements and requested attributes to metadata. These elements are used by IdP implementations to enhance their user interfaces. See the section on software support for a complete list of supported applications.

Table of Contents
minLevel3

In a nutshell, here's what you need to do:

  1. Port the attribute requirements listed in your POP to metadata
  2. Refactor the remaining sections of your POP into a Privacy Policy targeted at the user

Complete the above steps in reverse order. First publish your Privacy Policy to a permanent location on the web. Then complete the metadata update process outlined below.

Note
titleThe Relation Between your POP and the Privacy Policy

Since you only have one POP, it necessarily applies to all of your SP deployments. In that sense, the granularity of the POP is not sufficient for those sites supporting multiple SPs. On the other hand, your Privacy Policy—and everything else mentioned below—refers to a single SP deployment. Hence, you should repeat the steps below for each SP under your control.

Note: A Privacy Policy may be shared across SP deployments. Not all SPs have the same privacy requirements, however, so you should consider carefully the granularity that best fits your overall SP deployment.

For the time being, leave your POP where it is despite the fact that it can now be put entirely online. InCommon is reviewing the POP in light of these (and other) developments occurring within the Federation.

Updating your Metadata

Login to the metadata administrative interface as usual. Along the left hand side, click on the link "Service Provider Metadata Wizard," click "View, Edit, or Delete SP metadata," click "Edit," and then click "Add New User Interface Elements and Requested Attributes". A web form to enter the new elements will appear.

...

A link to the SP's Privacy Policy may Statement should be provided. This element is optional in InCommon metadata but SP operators are strongly encouraged to supply this information.

Warning
titleYour Privacy PolicyStatement

The importance of a Privacy Policy Statement can not be overstated. Users will be instructed to consult the SP's Privacy PolicyStatement, lack of which will cause some users to decline attribute release.

Your POP may already contain statements regarding privacy. One approach, therefore, is to refactor the relevant sections of your POP into a Privacy Statement targeted at the user.

Note
titleThe Relation Between your POP and the Privacy Statement

Since you only have one POP, it necessarily applies to all of your SP deployments. In that sense, the granularity of the POP is not sufficient for those sites supporting multiple SPs. On the other hand, your Privacy Statement refers to a single SP deployment.

Note: A Privacy Statement may be shared across multiple SP deployments. Not all SPs have the same privacy requirements, however, so you should carefully consider the granularity that best fits your overall SP deployment.

Anchor
logo
logo

Logo URL

This element is optional but there are applications that can leverage this element in metadata so SP operators are encouraged to provide a link to a logo that meets the following requirements. For example, a consent interface may use a visual cue (i.e., a logo) instead of or in addition to the Display Name.

...

Logos that meet the minimum width and height requirements can be scaled down by the application as needed.

Requested Attributes

Requested attributes are presented to the user on the consent page. At runtime, the user is asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.

At least one attribute is required. From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation, eduPersonEntitlement, or eduPersonScopedAffiliation, an optional Attribute Values field will appear. Enter the requested attribute value(s) (or not, as the case may be). Repeat the input process for each requested attribute.

Once the Save button is pressed, two <md:RequestedAttribute> elements will be inserted into metadata for every attribute chosen from the drop-down menu. One of those attributes is a SAML1 attribute while the other is a SAML2 attribute. The IdP will automatically choose one or the other depending on the runtime protocol.

Anchor
software
software

Software Support

...