Early in the boarding process, the InCommon Registration Authority (RA) associates a primary DNS domain with the participating organization. The WHOIS database system is consulted to confirm that the organization does in fact control this domain. The fact that the organization’s home page is rooted in the primary DNS domain provides additional evidence that the organization controls the domain in question.
Any metadata the organization submits is vetted against the primary DNS domain. In particular, the following metadata elements should be rooted in the primary DNS domain of the organization:
- the value of the
entityIDXML attribute, which is an identifier for the entity (SP or IdP) in metadata - the value of the
<md:OrganizationURL>element, which is the URL of the organization’s home page (mentioned earlier) - the values of certain user interface elements, especially the value of the
<mdui:Logo>element - the value of the
<shibmd:Scope>element, which is used by an IdP to construct so-called scoped attributes (such aseduPersonPrincipalName) - the values of any endpoint locations in metadata
The RA is authoritative for the organization URL (<md:OrganizationURL>) and the Scope (<shibmd:Scope>). The organization’s site administrator specifies the remaining values in metadata, which are vetted by the RA.
If the entityID and the endpoint locations are in fact rooted in the primary DNS domain, the submitted metadata is approved and the update request proceeds. Otherwise a manual vetting process is triggered, which may delay the approval process.