...
R&S IdPs in the InCommon Federation are currently in the process of migrating to global R&S. Likewise new R&S IdPs will be encouraged to support global R&S as well. More importantly, InCommon will soon begin importing the metadata of R&S IdPs from other federations. In anticipation of these events, existing R&S SP owners should begin thinking about their migration strategy to global R&Sto develop a migration strategy for global R&S.
Since all R&S SPs in the InCommon Federation now meet the requirements of the international REFEDS Research & Scholarship Entity Category specification, R&S SPs have a multivalued R&S entity attribute in InCommon metadata. In that sense, all R&S SPs have successfully migrated to global R&S. However, if an R&S SP deployment depends on the R&S entity attribute in IdP metadata, then additional migration steps may be required since the entity attributes in IdP metadata will change as IdPs declare their support for global R&S.
For example, a small number of R&S SP deployments are known to filter IdP metadata such that R&S IdPs are the only IdPs exposed on the SP's discovery interface. Such an SP is dependent upon the R&S entity attribute in IdP metadata.
| Note |
|---|
| If your SP configuration deployment depends on the R&S entity attribute in IdP metadata, please read on. Otherwise there is nothing further you need to do to migrate to global R&S. |
An SP configuration that deployment that depends on the R&S entity attribute in IdP metadata almost certainly recognizes the legacy incommon.org R&S entity attribute value:
...
since IdPs that support global R&S will necessarily carry the latter in their metadata. Indeed, R&S IdPs from other federations will carry the refeds.org R&S tag exclusively.Today an InCommon IdP that supports global R&S (i.e., releases attributes to ALL R&S SPs) has a multivalued
| Warning | ||
|---|---|---|
| ||
| An R&S IdP will carry either the incommon.org R&S tag or the refeds.org R&S tag but not both. An SP that depends on the R&S entity attribute in IdP metadata must take this fact into account. |
To configure an instance of Shibboleth SP 2.5 (and later) to restrict its discovery interface to R&S IdPs, add the following DiscoveryFilter to your MetadataProvider:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!--
As the refeds.org R&S tag becomes more prevalent, the
order of the attributes should be reversed for efficiency.
-->
<DiscoveryFilter type="Whitelist" matcher="EntityAttributes">
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</DiscoveryFilter> |
The above configuration requires Shibboleth SP v2.5 (or later). Be aware that filtering entity metadata from the discovery interface is not the same as filtering the metadata in the first place. If the latter is really what you want to do, replace the <DiscoveryFilter> with an identical <MetadataFilter> as in the previous example.
See the Shibboleth Metadata Config topic for a complete example of a MetadataProvider. The above DiscoveryFilter element may be added to that MetadataProvider.
its metadata. Eventually this multivalued R&S entity attribute will be removed.