Hide From Discovery Category
The Hide From Discovery entity category is a category of Identity Providers that are intended not to be shown on discovery interfaces by default.
Motivation
By and large, participants register an IdP for one or more of the following reasons:
- To interoperate with providers of commercial vendor services called Sponsored Partners
- To interoperate with Enterprise Services (co-located in the same security domain as the IdP)
- To interoperate with cross-domain Federation Services such as Research & Scholarship Category services and other collaborative services
To interoperate with Sponsored Partners and Enterprise Services, a bilateral arrangement is often needed, whereas Federation Services are "promiscuous" in the sense that they are willing and able to interoperate with any IdP. This gives rise to IdP Discovery, a user-driven process (or interface) to discover the federated user's preferred IdP.
An IdP that interoperates solely with Sponsored Partners and/or Enterprise Services may not need (or want) to be exposed on arbitrary discovery interfaces, in which case the IdP should declare the Hide From Discovery entity attribute in metadata. Federation Services can (and should) filter such IdPs from their discovery interfaces.
Procedure
For the most part, the Hide From Discovery entity attribute is intended to be self-asserted by IdP operators. InCommon Operations will eventually provide a self-service web app for this purpose. In the meantime, send email to admin@incommon.org with "Hide From Discovery" in the subject line to have the Hide From Discovery entity attribute added to your IdP's metadata.
Entity Attribute
An IdP calls out its desire to Hide From Discovery by asserting the following entity attribute in metadata (whitespace added for readability):
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<saml:AttributeValue>
http://refeds.org/category/hide-from-discovery
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
Note: InCommon Operations may insert the above entity attribute into any IdP entity descriptor at its discretion. This may happen, for instance, if the IdP is experiencing an extended period of technical difficulties.
Configure the Shibboleth SP
To configure Shibboleth SP 2.5 (and later) to download and verify signed InCommon metadata every hour, and to filter on the Hide From Discovery entity attribute, do the following:
<!--
The following MetadataProvider refreshes the InCommon production metadata aggregate.
-->
<MetadataProvider type="XML"
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
<!-- Verify the signature on the metadata file -->
<MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<!-- Consume all IdP metadata in the aggregate -->
<MetadataFilter type="EntityRoleWhiteList">
<RetainedRole>md:IDPSSODescriptor</RetainedRole>
<RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
</MetadataFilter>
<!-- Filter all IdP entity descriptors tagged with the hide-from-discovery entity attribute -->
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"/>
</MetadataProvider>
Compare the above MetadataProvider with a typical Shibboleth Metadata Config.