...
- Silently remove all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Entities so marked must come from primary sources only.
- Remove (and log the removal of) the following XML elements (not entities):
<mdui:Logo>
elements (not entities) with a URL that is not HTTPS-protected
- Silently remove the following XML elements (not entities):
- all MDUI metadata (e.g.,
mdui:UIInfo
elements) withinAttributeAuthority
roles. - all entity attributes not on the Entity Attribute Whitelist Blacklist (see subsection below).
- all extended XML elements and attributes defined in namespaces not on the XML Namespace Whitelist (see subsection below).
- all MDUI metadata (e.g.,
- Remove (and log the removal of) all imported entities matching one or more of the following conditions:
- Entities with an entityID that does not begin with one of the following prefixes: “
http://
”, “https://
”, “urn:mace
” - Entities with weak keys (which includes all keys less than 2048-bits in length)
- The use of weak keys in metadata has security and privacy implications.
- There are no weak keys in InCommon metadata and so we'd like to keep it that way.
- IdP entities with a faulty
<shibmd:Scope>
element- Require regexp attribute on
<shibmd:Scope>
- Disallow
<shibmd:Scope regexp="true">
- Require regexp attribute on
- IdP entities with an endpoint location that is not HTTPS-protected
- IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
- In effect, all imported IdPs must support SAML2.
- SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
- In effect, all imported SPs must support SAML2.
- Entities containing literal CR characters.
- Entities containing misplaced or duplicated
EntityAttributes
elements. - Entities containing XML failing schema validation.
- Entities that do not conform to the SAML v2.0 Metadata Profile for Algorithm Support Version 1.0
- Entities that do not follow standard rules regarding Binding values on protocol endpoints in metadata
- Entities that do not conform to the SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0
- Entities that do not conform to the Identity Provider Discovery Service Protocol and Profile
- Entities that do not conform to the Service Provider Request Initiation Protocol and Profile Version 1.0
- Entities that do not conform to the SAML V2.0 Metadata Interoperability Profile
- Entities that do not conform to the SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0
- Entities that do not conform to the SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0
- Entities that do not conform to the REFEDS Research and Scholarship Entity Category
- Entities that do not conform to the REFEDS SIRTFI specification
- Entities with an entityID that does not begin with one of the following prefixes: “
- Silently remove all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
- This happens because some SPs choose to join multiple federations.
- Dozens of global SPs are filtered by this rule.
...
- entities filtered by an import rule
- entities removed for lack of schema validity
- entities modified in any way
Entity Attribute
...
Blacklist
Name | Value |
---|---|
http://macedir.org/entity-category | http:// |
id.incommon.org/category/ |
registered- |
by- |
incommon |
http://macedir.org/entity-category |
http:// |
id.incommon.org/category/research-and-scholarship | |
http://macedir.org/entity-category-support | http:// |
id.incommon.org/category/ |
research-and-scholarship | |
urn:oasis:names:tc:SAML:attribute:assurance-certification | http://id.incommon.org/assurance/bronze |
urn:oasis:names:tc:SAML:attribute:assurance-certification |
http:// |
id.incommon.org/ |
assurance/silver |
XML Namespace Whitelist
Namespace | Prefix |
---|---|
urn:oasis:names:tc:SAML:metadata:algsupport | alg |
http://www.w3.org/2000/09/xmldsig# | ds |
urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser | hoksso |
http://id.incommon.org/metadata | icmd |
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol | idpdisc |
urn:oasis:names:tc:SAML:profiles:SSO:request-init | init |
urn:oasis:names:tc:SAML:2.0:metadata | md |
urn:oasis:names:tc:SAML:metadata:attribute | mdattr |
urn:oasis:names:tc:SAML:metadata:rpi | mdrpi |
urn:oasis:names:tc:SAML:metadata:ui | mdui |
http://refeds.org/metadata | remd |
urn:oasis:names:tc:SAML:2.0:assertion | saml |
urn:mace:shibboleth:metadata:1.0 | shibmd |
http://www.w3.org/2001/04/xmlenc# | xenc |
http://www.w3.org/XML/1998/namespace | xml |
http://www.w3.org/2001/XMLSchema-instance | xsi |
...