Community Review in progress!
This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org).
Recommendations for New IdPs in Metadata
Are you planning to register an IdP in the InCommon Federation?
Getting Started
- Identify at least two Site Administrators to administer IdP metadata
- Refresh and verify metadata at least daily (every hour if possible)
- Develop a strategy for securing your private keys before you generate them
Important Considerations for New IdPs
Before registering a new IdP in metadata, consider these important questions:
- Choose your entityID carefully
- a simple, generic name is best
- example: https://sso.example.edu/idp
- hostname must be rooted in your primary domain (e.g., example.edu)
- hostname need not match endpoint locations
- a simple, generic name is best
- Choose your Scope carefully
- usually equal to your primary domain
- used to construct eduPersonPrincipalName
- avoid multiple Scopes in metadata
- Constrain your IdP's protocol support to the front channel
- Do not support the SAML1 protocol
- Do not support attribute query
- Do not support SOAP-based endpoints