Interfederation Technical Policy Rules
Metadata Import Policy
Basic Metadata Import Policy
Global metadata is imported directly into the main production aggregate.
The following import rules are currently implemented:
- Silently remove all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Entities so marked must come from primary sources only.
- Remove (and log the removal of) all imported entities matching one or more of the following conditions:
- Entities with an entityID that does not begin with one of the following prefixes: “
http://
”, “https://
”, “urn:mace
” - Entities with weak keys (which includes all keys less than 2048-bits in length)
- The use of weak keys in metadata has security and privacy implications.
- There are no weak keys in InCommon metadata and so we'd like to keep it that way.
- IdP entities with a faulty
<shibmd:Scope>
element- Require regexp attribute on
<shibmd:Scope>
- Disallow
<shibmd:Scope regexp="true">
- Require regexp attribute on
- IdP entities with an endpoint location that is not HTTPS-protected
- IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
- In effect, all imported IdPs must support SAML2.
- SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
- In effect, all imported SPs must support SAML2.
- Entities containing literal CR characters.
- Entities containing a misplaced or duplicated
EntityAttributes
element. - Entities with an
EntityAttributes
element that contains anAssertion
element.
- Entities with an entityID that does not begin with one of the following prefixes: “
- Silently remove all entity attributes not on the Entity Attribute Whitelist (see subsection below)
- Remove (and log the removal of) all
<mdui:Logo>
elements (not entities) with a URL that is not HTTPS-protected. - Silently remove all extended XML elements and attributes defined in namespaces not on the XML Namespace Whitelist (see subsection below)
- Silently remove all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
- This happens because some SPs choose to join multiple federations.
- Dozens of global SPs are filtered by this rule.
A number of additional rules are applied to ensure metadata correctness. Some common minor errors are corrected but entities failing checks such as XML schema validity are removed.
Log all of the following:
View the published import filter logs
- entities filtered by an import rule
- entities removed for lack of schema validity
- entities modified in any way
Entity Attribute Whitelist
Name | Value |
---|---|
http://macedir.org/entity-category | http://refeds.org/category/research-and-scholarship |
http://macedir.org/entity-category-support | http://refeds.org/category/research-and-scholarship |
http://macedir.org/entity-category | http://refeds.org/category/hide-from-discovery |
urn:oasis:names:tc:SAML:attribute:assurance-certification | https://refeds.org/sirtfi |
XML Namespace Whitelist
Namespace | Prefix |
---|---|
urn:oasis:names:tc:SAML:metadata:algsupport | alg |
http://www.w3.org/2000/09/xmldsig# | ds |
urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser | hoksso |
http://id.incommon.org/metadata | icmd |
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol | idpdisc |
urn:oasis:names:tc:SAML:profiles:SSO:request-init | init |
urn:oasis:names:tc:SAML:2.0:metadata | md |
urn:oasis:names:tc:SAML:metadata:attribute | mdattr |
urn:oasis:names:tc:SAML:metadata:rpi | mdrpi |
urn:oasis:names:tc:SAML:metadata:ui | mdui |
http://refeds.org/metadata | remd |
urn:oasis:names:tc:SAML:2.0:assertion | saml |
urn:mace:shibboleth:metadata:1.0 | shibmd |
http://www.w3.org/2001/04/xmlenc# | xenc |
http://www.w3.org/XML/1998/namespace | xml |
http://www.w3.org/2001/XMLSchema-instance | xsi |
Metadata Export Policy
Basic Metadata Export Policy
InCommon Operations refreshes the export aggregate daily, in conjunction with the daily metadata-signing process.
- IdPs are exported by default (but may choose to opt out)
- SPs actively opt in to the export process
InCommon Operations reserves the right to prevent any entity from being exported.
The following export rules have been implemented:
- Filter all entities not having XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Only entities registered by InCommon will be exported.
- Filter the legacy incommon.org R&S entity attribute value from exported SP entity metadata:
http://id.incommon.org/category/research-and-scholarship
- This legacy attribute value remains in SP metadata for backwards compatibility only. We intend to completely remove this attribute value from SP metadata in the future.
- This legacy attribute value has nothing to do with R&S interoperability outside of the InCommon Federation.
- Filter SAML1-only entities:
- An SP entity not having at least one SAML2
AssertionConsumerService
endpoint that supports the HTTP-POST binding will not be exported. - An IdP entity not having a SAML2
SingleSignOnService
endpoint that supports the HTTP-Redirect binding will not be exported.
- An SP entity not having at least one SAML2
Extension schema required for exported metadata
Namespace | Prefix |
---|---|
http://id.incommon.org/metadata | icmd |
http://refeds.org/metadata | remd |
http://www.w3.org/2000/09/xmldsig# | ds |
http://www.w3.org/2001/XMLSchema-instance | xsi |
http://www.w3.org/XML/1998/namespace | xml |
urn:mace:shibboleth:metadata:1.0 | shibmd |
urn:oasis:names:tc:SAML:2.0:assertion | saml |
urn:oasis:names:tc:SAML:2.0:metadata | md |
urn:oasis:names:tc:SAML:metadata:attribute | mdattr |
urn:oasis:names:tc:SAML:metadata:rpi | mdrpi |
urn:oasis:names:tc:SAML:metadata:ui | mdui |
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol | idpdisc |