...
IdP Uses of the Registered By InCommon Category
Typically, an IdP will use the registered-by-incommon entity attribute (if it uses it all) to constrain its attribute release policy. A number of sample policies are illustrated in the subsections below.
| Anchor | ||||
|---|---|---|---|---|
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- this policy is active for a requester whose registrar has the given ID -->
<afp:PolicyRequirementRule xsi:type="saml:RegistrationAuthority"
registrars="https://incommon.org"/> |
The value of the registrars XML attribute above is the globally unique registrar ID for the InCommon registrar.
| Anchor | ||||
|---|---|---|---|---|
|
...
SP Uses of the Registered By InCommon Category
SPs typically leverage entity attributes up front when metadata is consumed. The registered-by-incommon entity attribute may be used to customize the discovery interface, or in some special circumstances, to filter metadata altogether.
Filtering Untrusted Metadata
Add To filter all but InCommon metadata, add the following MetadataFilter to a MetadataProvider to filter all but InCommon metadatayour SP's MetadataProvider:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- consume only InCommon metadata --> <MetadataFilter type="Whitelist" matcher="EntityAttributes"> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue> </saml:Attribute> </MetadataFilter> |
The above policy is severe but sometimes warranted but not always. A more relaxed policy will simply filter the metadata from the discovery interface, as shown in the next section.
...
Here's a complete metadata configuration with a carefully customized discovery interface:
...