Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:entity_attributes [2022/04/29 10:42] – [Degrees of Reliance of IdPs] Wolfgang Pempeen:entity_attributes [2023/01/12 19:29] (current) Wolfgang Pempe
Line 4: Line 4:
 </callout> </callout>
  
-===== Degrees of Reliance of IdPs ===== 
- 
-This Entity Attribute announces the [[en:degrees_of_reliance|Degree of Reliance]] of an Identity Provider. 
- 
-<file xml dfn-aai-idp-metadata.xml> 
-  <md:EntityDescriptor entityID="https://idp.scc.kit.edu/idp/shibboleth"> 
-    <md:Extensions> 
-      <mdrpi:RegistrationInfo registrationAuthority="https://www.aai.dfn.de" registrationInstant="2010-03-15T10:30:11Z"> 
-        <mdrpi:RegistrationPolicy xml:lang="en">https://www.aai.dfn.de/en/join/</mdrpi:RegistrationPolicy> 
-        <mdrpi:RegistrationPolicy xml:lang="de">https://www.aai.dfn.de/teilnahme/</mdrpi:RegistrationPolicy> 
-      </mdrpi:RegistrationInfo> 
-      <mdattr:EntityAttributes> 
-        <!-- ... --> 
-        <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
-          <saml:AttributeValue>advanced</saml:AttributeValue> 
-        </saml:Attribute> 
-      </mdattr:EntityAttributes> 
-    </md:Extensions> 
- 
-</file> 
- 
-For an example on how to restrict an SP's metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced' please refer to [[en:production#sp_example|Production Environment]]. 
-===== SP: Required Degree of Reliance ===== 
-This entity attribute is used to signal the [[en:degrees_of_reliance|Degree of Reliance]] required by the respective service provider.  
- 
-<file xml dfn-aai-sp-metadata.xml> 
-  <EntityDescriptor entityID="https://bw-support.scc.kit.edu/secure"> 
-    <Extensions> 
-      <mdrpi:RegistrationInfo registrationAuthority="https://www.aai.dfn.de" registrationInstant="2013-05-29T12:16:37Z"> 
-        <mdrpi:RegistrationPolicy xml:lang="en">https://www.aai.dfn.de/en/join/</mdrpi:RegistrationPolicy> 
-        <mdrpi:RegistrationPolicy xml:lang="de">https://www.aai.dfn.de/teilnahme/</mdrpi:RegistrationPolicy> 
-      </mdrpi:RegistrationInfo> 
-      <mdattr:EntityAttributes> 
-        <!-- ... -->       
-          <saml:Attribute Name="http://aai.dfn.de/require-loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
-          <saml:AttributeValue>advanced</saml:AttributeValue> 
-        </saml:Attribute> 
-      </mdattr:EntityAttributes> 
-    </Extensions> 
-</file> 
  
 ===== Sirtfi ===== ===== Sirtfi =====
Line 120: Line 80:
 </file> </file>
  
-The next example shows IdP metadata: The IdP releases attributes to CoCo compliant SPs, and it commits to the degree of reliance "Advanced".+The next example shows IdP metadata: The IdP releases attributes to CoCo compliant SPs.
  
 <file xml dfn-aai-metadata.xml> <file xml dfn-aai-metadata.xml>
Line 132: Line 92:
         <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">         <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>           <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
-        </saml:Attribute> 
-        <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
-          <saml:AttributeValue>advanced</saml:AttributeValue> 
         </saml:Attribute>         </saml:Attribute>
       </mdattr:EntityAttributes>       </mdattr:EntityAttributes>
Line 180: Line 137:
 </file> </file>
  
-The metadata of an IdP taking part in bwIdM and committing to the Degree of Reliance "Advanced" look like this:+The metadata of an IdP taking part in bwIdM:
  
 <file xml dfn-aai-metadata.xml> <file xml dfn-aai-metadata.xml>
Line 192: Line 149:
         <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">         <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue>           <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue>
-        </saml:Attribute> 
-        <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
-          <saml:AttributeValue>advanced</saml:AttributeValue> 
         </saml:Attribute>         </saml:Attribute>
       </mdattr:EntityAttributes>       </mdattr:EntityAttributes>
Line 225: Line 179:
 <file xml shibboleth2.xml> <file xml shibboleth2.xml>
 <MetadataProvider type="XML" <MetadataProvider type="XML"
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-metadata.xml"+     uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml"
      backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600">      backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="Whitelist" matcher="EntityAttributes">+   <MetadataFilter type="Include" matcher="EntityAttributes">
          <saml:Attribute Name="http://macedir.org/entity-category"          <saml:Attribute Name="http://macedir.org/entity-category"
                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue>             <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue>
         </saml:Attribute>         </saml:Attribute>
-   </MetadataFilter> 
-   <MetadataFilter type="EntityRoleWhiteList"> 
-      <RetainedRole>md:IDPSSODescriptor</RetainedRole> 
    </MetadataFilter>    </MetadataFilter>
 </MetadataProvider> </MetadataProvider>
Line 245: Line 196:
 <file xml shibboleth2.xml> <file xml shibboleth2.xml>
 <MetadataProvider type="XML" <MetadataProvider type="XML"
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+     uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
      backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">      backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="Blacklist" matcher="EntityAttributes">+   <MetadataFilter type="Exclude" matcher="EntityAttributes">
          <saml:Attribute Name="http://macedir.org/entity-category"          <saml:Attribute Name="http://macedir.org/entity-category"
                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue>             <saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue>
         </saml:Attribute>         </saml:Attribute>
-   </MetadataFilter> 
-   <MetadataFilter type="EntityRoleWhiteList"> 
-      <RetainedRole>md:IDPSSODescriptor</RetainedRole> 
    </MetadataFilter>    </MetadataFilter>
 </MetadataProvider> </MetadataProvider>
Line 261: Line 209:
 </file> </file>
  
-This Shibboleth SP filters metadata to only work with IdPs committing to the Degree of Reliance "Advanced": 
- 
-<file xml shibboleth2.xml> 
-<MetadataProvider type="XML" 
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml" 
-     backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> 
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> 
-   <MetadataFilter type="Whitelist" matcher="EntityAttributes"> 
-         <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" 
-                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 
-            <saml:AttributeValue>advanced</saml:AttributeValue> 
-        </saml:Attribute> 
-   </MetadataFilter> 
-</MetadataProvider> 
- 
-</file> 
  
 This IdP filter policy releases a list of attributes to bwIDM Service Providers: This IdP filter policy releases a list of attributes to bwIDM Service Providers:
  • Last modified: 3 years ago