Effective federation depends on IdPs that are both interoperable and trustworthy. To this end, a new IdP in metadata is subject to the following policy.
Each organization is allowed one IdP in metadata. By request, a second IdP in metadata may be purchased for an extra $1,000 per year.
Test IdPs in Metadata
Test IdPs in metadata are allowed but seldom needed. (This is why there is an extra charge for a second IdP in metadata.) Read the following policy carefully to understand the restrictions on test IdPs in metadata.
The first IdP inserted into metadata is assumed to be a production IdP. Do not submit temporary IdP metadata with the intention of changing it later on. IdP metadata that is obviously temporary (e.g., with the substring "test" in names and locations) is not allowed.
- The entity ID for every IdP in metadata is permanent and once established can not be changed. (Note that the Federation Manager currently allows the entity ID to be changed but such an update request will not be approved by the RA.)
- The display name for a production IdP (which is used by the InCommon Discovery Service and other discovery interfaces) is the name of the organization that signed the Participation Agreement. The RA is authoritative for this display name in IdP metadata.
- Choose your IdP Endpoints carefully. The endpoint locations in IdP metadata are permanent in the sense that if you later decide to change them, this will break interoperability with partner SPs. To restore interoperability with your IdP, each SP will have to refresh metadata.