Versions Compared

Old Version 38

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 39

changes.mady.by.user rlmorgan@washington.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Thus, we expect assurance deployment to be gradual, and we will continue to evolve documentation to reflect what we learn. We also encourage deployers to talk to their software suppliers about the support (or lack thereof) of these features. AnchorIAQsIAQs

IAQs in Metadata

InCommon Operations will add identity assurance qualifiers (IAQs) to published metadata following notification of certification by InCommon management. IAQs will be added to the appropriate IdP entity descriptor of the certified IdP operator (IdPO).

IAQs are provided in metadata so that supporting software may be configured to make use of the information when processing assertions containing assurance qualifiers. Participants are not obligated to enforce policies or otherwise make use of these qualifiers, however.

Proposed IAQ URIs are:

Silverhttp://id.incommon.org/assurance/silver
Bronzehttp://id.incommon.org/assurance/bronze

There will likely be a need for IAQs to be used during interoperability testing:

Silverhttp://id.incommon.org/assurance/silver-test
Bronzehttp://id.incommon.org/assurance/bronze-test

Note that all of the above URIs will most likely resolve to actual web pages at some point.

Technical Details

The following extension is the immediate child element of the IdP's <md:EntityEescriptor> element in metadata:

No Format

<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <saml:Attribute
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
      <saml:AttributeValue>http://id.incommon.org/assurance/silver-test</saml:AttributeValue>
      <saml:AttributeValue>http://id.incommon.org/assurance/bronze-test</saml:AttributeValue>
    </saml:Attribute>
  </mdattr:EntityAttributes>
</md:Extensions>

The <mdattr:EntityAttributes> element and the name of the SAML Attribute (urn:oasis:names:tc:SAML:attribute:assurance-certification) are defined by the OASIS specification SAML V2.0 Metadata Extension for Entity Attributes and the OASIS SAML V2.0 Identity Assurance Profiles, respectively.

A complete, working metadata sample is attached to this wiki topic. To schema validate this sample metadata, you can use XmlSecTool:

...


xmlsectool.sh --validateSchema \
    --schemaDirectory schema-files --inFile incommon-idp-metadata.xml

InCommon Practices

See: InCommon Practices - Certification and MetadataFor convenience, we provide a set of (suitably modified) schema files that permit offline schema validation.

SP Behavior

See: Assurance - Service Provider Behavior.

...