...
IdP Uses of the Registered By InCommon Category
Typically, an IdP will use the registered-by-incommon
entity attribute (if it uses it all) to constrain its attribute release policy. A number of sample policy rules are illustrated in the subsections below.
Note | ||
---|---|---|
| ||
An interoperable IdP consumes all the SP metadata in the world, no exceptions. Consequently, an IdP does not filter metadata. Instead an interoperable IdP implements a rational set of attribute release rules, subject to local policy. |
Anchor | ||||
---|---|---|---|---|
|
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- this policy is active for a requester with the following entity attribute -->
<!-- (for Shib IdP V3, use type saml:EntityAttributeExactMatch instead) -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- this policy is active for a requester whose registrar has the given ID --> <afp:PolicyRequirementRule xsi:type="saml:RegistrationAuthority" registrars="https://incommon.org"/> |
The value of the registrars
XML attribute above is the globally unique registrar ID for the InCommon registrar.
Anchor | ||||
---|---|---|---|---|
|
...
To facilitate the migration suggested by the previous examples, all R&S SPs registered by InCommon have a multivalued R&S entity attribute in metadata.
It is believed thought that some R&S IdPs will want to retain their current attribute release policy for a time. An instance of Shibboleth IdP V2 may leverage the Registered By InCommon Category to retain its current attribute release policy but without relying on the legacy InCommon R&S entity attribute value:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
...
For more information about configuring an IdP for Research & Scholarship, consult the R&S Attribute Bundle Config topic in the wiki.
SP Uses of the Registered By InCommon Category
Filtering Untrusted Metadata
SPs typically leverage entity attributes up front when metadata is consumed. The registered-by-incommon
entity attribute may be used to customize the discovery interface, or in some special circumstances, to filter metadata altogether.
See the Shibboleth Metadata Config topic for a complete example of a MetadataProvider
. At most one of the following MetadataFilter
elements may be added to that MetadataProvider
.
Filtering Untrusted Metadata
To Add the following MetadataFilter
to a MetadataProvider
to filter all but InCommon metadata, add the following MetadataFilter
to your SP's MetadataProvider
:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- consume only InCommon metadata --> <MetadataFilter type="Whitelist" matcher="EntityAttributes"> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue> </saml:Attribute> </MetadataFilter> |
The above policy is severe but sometimes warranted but not always. A more relaxed policy will simply filter the metadata from the discovery interface, as shown in the next section.
Customizing Discovery Interfaces
Here's a complete metadata configuration with a carefully customized discovery interfaceTo show all IdPs with the registered-by-incommon
entity attribute, add the following MetadataFilter
to your SP's MetadataProvider
:
Code Block | |||||
---|---|---|---|---|---|
| |||||
<!-- The following MetadataProvider refreshes the main InCommon aggregate. --> <MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600"> <!-- Verify the signature on the metadata file --> <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/> <!-- Consume all IdP metadata in the aggregate --> <MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole> </MetadataFilter> <!-- Show all IdPs with the registered-by-incommon entity attribute --> <DiscoveryFilter type="Whitelist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://id.incommon.org/category/registered-by-incommon"/> <!-- Hide all IdPs with the hide-from-discovery entity attribute --> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery"/> </MetadataProvider> |
Keep in mind that hiding an IdP from the discovery interface does not prevent the SP from accepting an assertion from that IdP.