The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

The Registered By InCommon Category is coming!

Here is the timeline for implementing the Registered By InCommon Category:

  1. Friday, April 17, 2015: Introduce the registered-by-incommon entity attribute into the preview aggregate
  2. Friday, April 24, 2015: Sync the main aggregate with the preview aggregate
  3. Friday, May 1, 2015: Sync the fallback aggregate with the production aggregate

Since most deployments consume the main production aggregate, April 24th is the date to remember.

Currently all entity metadata in the InCommon production aggregate were registered by the InCommon registrar and therefore every entity descriptor contains the following extension element:

The RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The value of the registrationAuthority XML attribute in the previous extension element is the ID of the InCommon registrar. Every metadata registrar has such a globally unique identifier. As other metadata (such as eduGAIN metadata) is imported into the InCommon aggregate, the <mdrpi:RegistrationInfo> element will become a distinguishing characteristic of entity metadata.

Using the Registered By InCommon Category

Since the <mdrpi:RegistrationInfo> element is not widely supported in software, every occurrence of mdrpi:RegistrationInfo/@registrationAuthority="https://incommon.org/" in metadata is replicated as a fixed entity attribute. This makes it easier for consumers to determine whether the registrar of a given entity descriptor is the InCommon registrar. This is the sole purpose of the Registered By InCommon Category.

The registered-by-incommon entity attribute
<md:Extensions
    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
  <mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Attribute
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="http://macedir.org/entity-category">
      <saml:AttributeValue>
        http://id.incommon.org/category/registered-by-incommon
      </saml:AttributeValue>
    </saml:Attribute>
  </mdattr:EntityAttributes>
</md:Extensions>

Note that the Registered By InCommon entity category applies to both SPs and IdPs. The semantics of the registered-by-incommon entity attribute are identical to mdrpi:RegistrationInfo/@registrationAuthority="https://incommon.org".

Practically speaking, the registered-by-incommon entity attribute is used by SP and IdP deployments to reverse the effects of importing eduGAIN entities into the InCommon production aggregate. 


#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels