...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!--
The following MetadataProvider refreshes the main InCommon aggregate.
-->
<MetadataProvider type="XML"
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
<!-- Verify the signature on the metadata file -->
<MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<!-- Consume all IdP metadata in the aggregate -->
<MetadataFilter type="EntityRoleWhiteList">
<RetainedRole>md:IDPSSODescriptor</RetainedRole>
<RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
</MetadataFilter>
<!-- Show all IdPs with the registered-by-incommon entity attribute -->
<DiscoveryFilter type="Whitelist" matcher="EntityAttributes"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
<!-- Hide all IdPs with the hide-from-discovery entity attribute -->
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"/>
</MetadataProvider> |
Hiding an IdP from the discovery interface does NOT prevent -->
<!-- the SP from accepting an assertion from the
<!-- the SP from accepting an assertion from the
Keep in mind that hiding an IdP from the discovery interface does not prevent the SP from accepting an assertion from that IdP.