...
Typically, an IdP will use the registered-by-incommon
entity attribute (if it uses it all) to constrain its attribute release policy. A number of sample policies policy rules are illustrated in the subsections below.
Note | ||
---|---|---|
| ||
An interoperable IdP consumes all the SP metadata in the world, no exceptions. Consequently, an IdP does not filter metadata. Instead an interoperable IdP implements a rational set of attribute release rules, subject to local policy. |
Anchor | ||||
---|---|---|---|---|
|
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- this policy is active for a requester with the following entity attribute -->
<!-- (for Shib IdP V3, use type saml:EntityAttributeExactMatch instead) -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/> |
...
To facilitate the migration suggested by the previous examples, all R&S SPs registered by InCommon have a multivalued R&S entity attribute in metadata.
It is believed thought that some R&S IdPs will want to retain their current attribute release policy for a time. An instance of Shibboleth IdP V2 may leverage the Registered By InCommon Category to retain its current attribute release policy but without relying on the legacy InCommon R&S entity attribute value:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
...
For more information about configuring an IdP for Research & Scholarship, consult the R&S Attribute Bundle Config topic in the wiki.
SP Uses of the Registered By InCommon Category
SPs typically leverage entity attributes up front when metadata is consumed. The registered-by-incommon
entity attribute may be used to customize the discovery interface, or in some special circumstances, to filter metadata altogether.
See the Shibboleth Metadata Config topic for a complete example of a MetadataProvider
. At most one of the following MetadataFilter
elements may be added to that MetadataProvider
.
Filtering Untrusted Metadata
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- consume only InCommon metadata --> <MetadataFilter type="Whitelist" matcher="EntityAttributes"> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue> </saml:Attribute> </MetadataFilter> |
...
Customizing Discovery Interfaces
Here's a complete metadata configuration with a customized discovery interfaceTo show all IdPs with the registered-by-incommon
entity attribute, add the following MetadataFilter
to your SP's MetadataProvider
:
Code Block | |||||
---|---|---|---|---|---|
| |||||
<!-- <!-- The following MetadataProvider refreshes the main InCommon aggregate. --> <MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600"> <!-- Verify the signature on the metadata file --> <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/> <!-- Consume all IdP metadata in the aggregate --> <MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole> </MetadataFilter> <!-- Show all IdPs with the registered-by-incommon entity attribute --> <DiscoveryFilter type="Whitelist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://id.incommon.org/category/registered-by-incommon"/> <!-- Hide all IdPs with the hide-from-discovery entity attribute --> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery"/> </MetadataProvider> |
Keep in mind that hiding an IdP from the discovery interface does not prevent the SP from accepting an assertion from that IdP.