To consume InCommon metadata, your IDP or SP must must be able to perform HTTPS requests against md.incommon.org (and mdq.incommon.org for MDQ Metadata Service). The Metadata Service leverages Amazon Web Services (AWS) Cloudfront to provide a high performing, fault-tolerant service. This fault-tolerant architecture means the IP address(es) of the Metadata Service will from time to time change without notice.
Check with your information security or networking teams to determine whether your organization has egress firewall rules restricting access to outside resources. If so:
If your firewall product supports rules utilizing fully qualified domain name (FQDN), configure the firewall to allow HTTPS (Port 443) access from your service to the following host names:
md.incommon.orgmdq.incommon.org
If dynamic, FQDN-based rules are not possible, configure your firewall to allow the range of IP addresses defined at: Locations and IP Address Ranges of CloudFront Edge Servers.
IMPORTANT: This range will likely change over time. It is important that your network administrators periodically check and update the range as AWS updates its documentation.