Early in the boarding process, the InCommon Registration Authority (RA) associates a primary DNS domain with the participating organization. The WHOIS database system is consulted to confirm that the organization does in fact own control this domain. Alternatively, a process of Domain Control Validation (DCV) may be administered by the RA to allow an organization to demonstrate control of a domain. The fact that the organization’s home page is rooted in the primary DNS domain provides additional evidence that the organization controls the domain in question.
...
- the value of the
entityIDXML attribute, which is an identifier for the entity (SP or IdP) in metadata - the value of the
<md:OrganizationURL>element, which is the URL of the organization’s home page (mentioned earlier) - the values of certain user interface elements, especially the value of the
<mdui:Logo>elementthe value of the<shibmd:Scope>element, which is used by an IdP to construct so-called scoped attributes (such aseduPersonPrincipalName)the values of any endpoint locations in metadata
The RA is authoritative for the organization URL (<md:OrganizationURL>) and the Scope (<shibmd:Scope>). The organization’s site administrator specifies the remaining values in metadata, which are vetted by the RA.
If the entityID and the endpoint locations are in fact rooted in the and scope (the latter is applicable only to IdP metadata) are rooted in the primary DNS domain, the submitted metadata is approved and the update request proceeds. Otherwise a manual vetting process is triggered, which may delay the approval process.