...
- Silently remove all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Entities so marked must come from primary sources only.
- Silently remove all entity attributes not on the Entity Attribute Whitelist (see subsection below)
- Remove (and log the removal of) all
<mdui:Logo>
elements (not entities) with a URL that is not HTTPS-protected. - Remove (and log the removal of) all imported entities matching one or more of the following conditions:
- Entities with an entityID that does not begin with one of the following prefixes: “
http://
”, “https://
”, “urn:mace
” - Entities with weak keys (which includes all keys less than 2048-bits in length)
- The use of weak keys in metadata has security and privacy implications.
- There are no weak keys in InCommon metadata and so we'd like to keep it that way.
- IdP entities with a faulty
<shibmd:Scope>
element- Require regexp attribute on
<shibmd:Scope>
- Disallow
<shibmd:Scope regexp="true">
- Require regexp attribute on
- IdP entities with an endpoint location that is not HTTPS-protected
- IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
- In effect, all imported IdPs must support SAML2.
- SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
- In effect, all imported SPs must support SAML2.
- Entities containing literal CR characters.
- Entities containing misplaced or duplicated
EntityAttributes
elements.
- Entities with an entityID that does not begin with one of the following prefixes: “
- Silently remove all entity attributes not on the Entity Attribute Whitelist (see subsection below)
- Remove (and log the removal of) all
<mdui:Logo>
elements (not entities) with a URL that is not HTTPS-protected. - Silently remove all extended XML elements and attributes defined in namespaces not on the XML Namespace Whitelist (see subsection below)
- Silently remove all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
- This happens because some SPs choose to join multiple federations.
- Dozens of global SPs are filtered by this rule.
A number of additional rules are applied to ensure metadata correctness. Some common minor errors are corrected but entities failing checks such as XML schema validity are removed.
...