Uniform Resource Names as Entity IDs
The use of Uniform Resource Names (URNs) as entity IDs in the InCommon Federation is NOT RECOMMENDED. If an URN is used, the URN namespace MUST be owned by (or delegated to) the organization, that is, the organization MUST document the existence of a valid authorization chain rooted in a namespace listed in the Official IANA Registry of URN Namespaces.
To illustrate, suppose Internet2 submitted SP metadata with entity ID:
urn:mace:incommon:internet2.edu:sp
This particular entity ID would be acceptable since:
- The
urn:mace
namespace is registered with IANA. - InCommon is authorized by MACE to use the
urn:mace:incommon
namespace. - Internet2 is authorized by InCommon to use the
urn:mace:incommon:internet2.edu
namespace (by virtue of the fact that the latter appears in metadata signed by InCommon Operations).
Therefore the entity ID shown above is valid since there exists a valid authorization chain rooted in an official registered namespace (urn:mace
).