The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 51 Next »

User Interface Elements in IdP Metadata

This page describes how an InCommon site administrator adds user interface elements to IdP metadata. These elements are used by SP implementations to enhance their user interfaces, especially the discovery interface.

Hide From Discovery Category

To discourage SPs from including your IdP on discovery interfaces, you can self-assert membership in the Hide From Discovery Category.

Contents:

Updating IdP Metadata

Log into the Federation Manager as usual. Along the left hand side, click on the link "Identity Provider Metadata Wizard," click "Edit," and then click "Add New User Interface Elements". A web form to enter the new elements will appear (see screen shot to the right). When you press "Save," an <mdui:UIInfo> extension element will be inserted into your metadata. From that point onward, the user interface elements for your IdP may be managed by clicking "Edit" in the "Identity Provider Metadata Wizard."

User Interface Elements

All of the input fields below except Display Name are optional for IdPs.

IdP Display Name

Typically, the IdP Display Name field will be presented on IdP discovery service interfaces. In practice, if the <mdui:DisplayName> element does not exist in metadata, applications usually fall back on the <md:OrganizationDisplayName> element. The latter is a poor substitute for the IdP Display Name, however, since it assumes an organization deploys at most one IdP.

The <mdui:DisplayName> element is REQUIRED for all IdPs registered by InCommon. It is RECOMMENDED that the value of the <mdui:DisplayName> element be 40 characters or less.

Site administrators are encouraged to log into the Federation Manager and edit their IdP Display Name to make it easier for users to find their IdP on discovery interfaces. The InCommon RA will perform a reasonableness check on edited values of the IdP Display Name. Unreasonable values will not be accepted.

Edit the IdP Display Name with care!

Edit the user-facing IdP Display Name with care. To avoid duplicates and other anomalies on discovery interfaces, browse the complete list of IdP display names in InCommon metadata before changing your IdP Display Name.

Since the Site Administrator can edit the IdP Display Name field, the ultimate responsibility for disambiguating duplicate or similar IdP Display Names rests with the Site Administrator (not the InCommon RA). To assist with this effort, we provide a current list of IdP display names in InCommon metadata as they will appear on a typical discovery interface (by that we mean a discovery interface that falls back on the <md:OrganizationDisplayName> element if the <mdui:DisplayName> element does not exist in metadata).

IdP Description

The IdP Description is a brief description of the IdP service. On a well-designed discovery interface, the IdP Description will be presented to the user in addition to the IdP Display Name, and so the IdP Description helps disambiguate duplicate or similar IdP Display Names.

The <mdui:Description> element is OPTIONAL in InCommon metadata but IdP operators are encouraged to supply it. It is RECOMMENDED that the value of the <mdui:Description> element be 140 characters or less.

IdP Information URL

The IdP Information URL is a link to a comprehensive information page about the IdP. This page should expand on the content of the IdP Description field.

The <mdui:InformationURL> element is OPTIONAL.

IdP Privacy Statement URL

The IdP Privacy Statement URL is a link to the IdP's Privacy Statement. The content of the Privacy Statement should be targeted at end users.

The <mdui:PrivacyStatementURL> element is OPTIONAL. It is recommended that IdPs use this URL to point directly (or indirectly through another document) to the IdP's Attribute Release Process.

IdP Logo URL

The IdP Logo URL in metadata points to an image file on a remote server. A discovery service, for example, may rely on a visual cue (i.e., a logo) instead of or in addition to the IdP Display Name.

An IdP operator SHOULD supply an <mdui:Logo> element in metadata. A logo will help disambiguate duplicate or similar IdP Display Names on the discovery interface.

IdP operators are encouraged to provide an IdP Logo URL that satisfies the following requirements:

  • the IdP Logo URL must be specified using an HTTPS URL
  • the resource at the IdP Logo URL must be publicly accessible
  • the host in the IdP Logo URL should reside in a domain owned by the IdP

The first two are technical requirements whereas the latter is a policy requirement. Only the first requirement is strictly enforced.

Logo HTTPS URL

The server that serves the logo resource MUST be protected with an TLS certificate trusted by the browser (i.e., not a self-signed certificate), otherwise the logo may not appear on a dynamically generated web page.

The actual size of the logo may vary. You will be asked to enter the actual width and height of the logo (in pixels). A typical application expects a maximum height of 150 pixels, and if need be, will scale the logo proportionally based on the actual width and height entered into metadata.

Generally useful logos will have the following characteristics:

  • the logo should have a transparent background
  • the logo should have a landscape orientation (width > height)
  • the logo should have a minimum width of 100 pixels
  • the logo should have a minimum height of 75 pixels and a maximum height of 150 pixels (or the application will scale it proportionally)

Logos that meet the minimum width and height requirements can be scaled down by the application as needed. Logos that do not meet the minimum width and height requirements may be ignored by applications.

There is no consensus as to what constitutes an optimal aspect ratio. For some applications, an aspect ratio between 4:3 and 16:9 is considered optimal. Other applications will have a page layout such that an approximate 2.5 aspect ratio is optimal. A future version of the administrative interface will accept multiple logo URLs so that sites may present a variety of logos to applications.

Software Support

The InCommon Federation entity information pages display the values of all user interface elements in metadata. The information pages are refreshed daily, in parallel with InCommon metadata.

To our knowledge, the only application that supports the <mdui:UIInfo> extension element in IdP metadata is the Shibboleth Embedded Discovery Service. If you know of other software applications that support <mdui:UIInfo>, please share this information with the community.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels