The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

eduGAIN Technical Policy Rules

Import Rules (in order)

  1. Filter all imported entities with XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Entities so marked must come from primary sources only.
  2. Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
  3. Filter all imported entities with weak keys
    1. The use of weak keys in metadata has security and privacy implications.
    2. There are no weak keys in InCommon metadata and so we'd like to keep it that way.
  4. Filter all imported IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
    1. In effect, all imported IdPs must support SAML2.
  5. Filter all imported SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
    1. In effect, all imported SPs must support SAML2.
  6. Filter all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
    1. This happens because some SPs choose to join multiple federations.
    2. Dozens of global SPs are filtered by this rule.

A number of additional rules are applied to ensure metadata correctness. Some common minor errors are corrected but entities failing checks such as XML schema validity are removed.

Log all of the following:

  • entities filtered by an import rule
  • entities removed for lack of schema validity
  • entities modified in any way

Entity Attribute Whitelist

  1. (namevalue) = (http://macedir.org/entity-categoryhttp://refeds.org/category/research-and-scholarship)
  2. (namevalue) = (http://macedir.org/entity-category-supporthttp://refeds.org/category/research-and-scholarship)
  3. (namevalue) = (http://macedir.org/entity-categoryhttp://refeds.org/category/hide-from-discovery)

Export Rules

Basic export policy: InCommon Operations reserves the right to prevent any entity from being exported.

  1. Filter all entities not having XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Only entities registered by InCommon will be exported.
  2. Filter the legacy incommon.org R&S entity attribute value from exported SP entity metadata:
    1. http://refeds.org/category/research-and-scholarship
    2. This legacy attribute value remains in SP metadata for backwards compatibility only. We hope to completely remove this attribute value from SP metadata in the future.
    3. This legacy attribute value has nothing to do with R&S interoperability outside of the InCommon Federation.
  3. Filter entities having any of the following properties:
    1. An SP entity not having at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
    2. An IdP entity not having a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels