v3.0 - 2017-09-19

This release includes site-wide style updates and updates for the Site Admin dashboard

v2.1.1 - 2017-08-15

This release resolves issues with:
- adding roles for users in organizations other than their own organization
- saving the status of an organization and correctly showing which organizations are active

v2.1.0 - 2017-08-08

This release of the InCommon Federation Manager brings sweeping visual changes to the Site Admin portion of the site, which should provide a drastically improved user experience for InCommon customers. Major improvements include:


v2.0.0 - 2017-05-23

While most users will not see any difference to the application, please rest assured that the InCommon staff is using the improved user interface which you should start to see with the version 2.1 release.  We chose to deploy and adopt the staff-facing UI first - to ensure that we are satisfied with the work before exposing the changes to our customers.  Major improvements include:

  1. Moved Federation Manager codebase into Internet2’s GitHub Enterprise account to allow flexible developer collaboration and ease automation for deployments

  2. Added Twitter Bootstrap semantics to the RA interface in preparation for future design/workflow changes

  3. Added Docker containerization utilities in preparation for our own containerized deployment of the application

  4. Provisioning changes will enable us to easily populate a staging version of the application with needed user accounts

  5. Changes to the application infrastructure to integrate with our cloud-based continuous integration pipeline and staging environment

  6. Integrated error messages in staging with Slack so developers and architects can quickly see issues that arise in that environment

  7. Dependency updates

  8. Performance improvements (elimination of duplicate database calls, etc.)

Pre-2.0.0 releases:


The IdP mdui:DisplayName IdPs can be edited.  It's editable for existing IdPs or new IdPs after being saved.


Site Administrators can choose not to export their metadata to eduGAIN on February 15, 2016:

Similarly, Site Administrators and Delegated Administrators can choose to export their SP metadata to eduGAIN on February 15, 2016 (screen shot not shown here).

Requested Attributes in SP metadata can optionally carry the isRequired="true" XML attribute:

Note: SAML1-formatted Requested Attributes are deprecated (and will be removed from SP metadata the next time the entity descriptor is touched). Only SAML2-formatted Requested Attributes are supported.

Site Administrators can choose to not be shown on discovery interfaces by default.



Fixed the bug showing the diff incorrectly on the metadata detail page.


Disabled entering the attribute values for the eduPersonScopedAffiliation.  The free text input box won't appear even if "eduPersonScopedAffiliation" is selected from the pull down menu for the Requested Attributes.




The value of the <md:OrganizationDisplayName> element was copied to the <mdui:DisplayName> element in all IdP entity descriptors that do not contain an <mdui:DisplayName> element. (There were 110 such entity descriptors.) Moving forward, all IdPs in the InCommon Federation will be REQUIRED to have an <mdui:DisplayName> element in metadata. Eventually this field will be editable by site administrators and vetted for reasonableness by the InCommon RA.


  1. A delegated administrator is notified when their metadata is submitted by a site administrator.
  2. A delegated administrator can also be a site administrator (and vice versa).
  3. Updated the UI to remind the user that delegated administration is for SP metadata.
  4. Repaired broken links to the spaces wiki.
  5. Added the ability to remove a certificate with a 1024-bit key from the upload/staging area (there are no 1024-bit keys in metadata).


  1. SingleLogoutService endpoints can be added to SP metadata (see the SLO Endpoints wiki topic).
  2. A security contact can be added to metadata (see the Contacts in Metadata wiki topic).
  3. The number of certificates per SP entity is now limited to two (see the Certificate Migration wiki topic).
  4. The SHA-1 fingerprint of each certificate is displayed via the web interface.
  5. The use XML attribute on key descriptors (see the Key Usage wiki topic) may be manipulated during key migration in SP metadata (see screen shots below).

Before key migration step 2:

After key migration step 2:

After key migration step 5:


Added "Google Sign In" to the discovery interface for delegated administrators.

(This new feature is experimental and therefore has not been announced beyond this obscure note. If you want to try Google login to the delegated administration interface, drop us a line at admin at incommon dot org.)


  1. SingleLogoutService endpoints can be added to IdP metadata. 
  2. The discovery interface for delegated administrators now uses the Shibboleth embedded DS.
  3. A notification email is sent to all site administrators when a site admin approves a metadata update request submitted by a delegated administrator.




Certificates in SP metadata no longer need to be uploaded to the system beforehand since they are now managed completely inline. Click the link "Service Provider Metadata Wizard" and then "Add a New Service Provider" to see the new interface.