...
| Warning | ||
|---|---|---|
| ||
| An R&S IdP will carry either the incommon.org R&S tag or the refeds.org R&S tag, but not both. An SP that depends on the R&S entity attribute in IdP metadata must take this fact into account. |
For example, an a Shibboleth SP that filters metadata to restrict restricts its discovery interface to R&S IdPs only might do the following...configure the following:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!--
The following MetadataProvider attempts to refresh the
InCommon production metadata aggregate every hour.
-->
<MetadataProvider type="XML"
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600"
legacyOrgNames="true">
<!-- Verify the signature on the metadata file -->
<MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<!--
As the refeds.org R&S tag becomes more prevalent, the
order of the attributes should be reversed for efficiency.
-->
<MetadataFilter type="Whitelist" matcher="EntityAttributes">
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</MetadataFilter>
</MetadataProvider> |