This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (firstname.lastname@example.org).
Importing eduGAIN metadata into the production InCommon metadata aggregate will have at least the following consequences:
Importing global IdP metadata into InCommon metadata will alter discovery interfaces across the Federation.
Importing global IdP metadata into InCommon metadata will cause some SPs to automatically accept attributes from those IdPs.
Importing global SP metadata into InCommon metadata will cause some IdPs to automatically release attributes to those SPs.
To address these issues, the New Entities WG proposes what amounts to a new entity category.
|See the Preparing for eduGAIN Metadata topic for general uses of this new entity category. See the Applying the Registered By InCommon Category topic for specific examples.|
Currently all entity descriptors in InCommon metadata were registered according to the InCommon Metadata Registration Practice Statement (which requires the organization who submitted the metadata to have signed the InCommon Participation Agreement) and therefore all entity descriptors in metadata contain the following extension element:
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"> <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/> </md:Extensions>
The New Entities WG recommends that the above
<mdrpi:RegistrationInfo> element be replicated as an entity attribute in metadata. The primary motivation for doing so is that entity attributes are better supported in software and so an entity attribute will help smooth the transition to interfederation.
To make the idea concrete, the proposal is to automatically convert the above extension element into something like this:
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/> <mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category"> <saml:AttributeValue> http://id.incommon.org/category/registered-by-incommon </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions>
and of course the conversion process would preserve any and all entity attributes that already exist in metadata.
Some important points to note:
In effect, the proposal is to create a new entity category called Registered By InCommon, (denoted by entity attribute value
registered-by-incommon) which is precisely the meaning of the XML attribute
The Registered By InCommon entity category applies to both SPs and IdPs.
registered-by-incommon entity attribute will not be exported to eduGAIN.
registered-by-incommon entity attribute can be used by SPs and IdPs to mitigate the effects of importing eduGAIN entities into the InCommon production aggregate.