Please visit Hide from Discovery category in the InCommon Federation Library wiki for updated content. This page remains online for historical records purpose only. |
The "Hide From Discovery" entity category is a category of Identity Providers that are intended not to be shown on discovery interfaces by default.
InCommon's implementation of the Hide From Discovery Category and the use of the |
The hide-from-discovery
entity attribute is self-asserted by IdP operators but InCommon Operations may insert the hide-from-discovery
entity attribute into any IdP entity descriptor at its discretion.
Contents
By and large, participants register an IdP for one or more of the following reasons:
To interoperate with Sponsored Partners and Enterprise Services, a bilateral arrangement is often needed, whereas cross-domain Federation Services are "promiscuous" in the sense that they are willing and able to interoperate with any IdP. This gives rise to IdP Discovery, a user-driven process (or interface) to discover the federated user's preferred IdP.
An IdP that interoperates solely with Sponsored Partners and/or Enterprise Services may not need (or want) to be exposed on arbitrary discovery interfaces, in which case the IdP should declare the hide-from-discovery
entity attribute in metadata. Federation Services can (and should) filter such IdPs from their discovery interfaces.
Be aware that InCommon Operations reserves the right to insert the hide-from-discovery
entity attribute into any IdP entity descriptor at its discretion. Possible reasons include, but are not limited to:
An IdP calls out its desire to Hide From Discovery by asserting the following entity attribute in metadata (whitespace added for readability):
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category"> <saml:AttributeValue> http://refeds.org/category/hide-from-discovery </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> |
To assert the hide-from-discovery
entity attribute in IdP metadata, a Site Administrator logs into the Federation Manager, clicks the "Update" next to the IdP you wish to update, and opts into the Hide From Discovery Category by clicking the checkbox next to the row labeled "Hide from Discovery" under the Entity Attributes section.
To configure an instance of Shibboleth SP 2.5 (and later) to filter on the Hide From Discovery entity attribute, add the following DiscoveryFilter
to your MetadataProvider
:
<!-- Hide all IdPs with the hide-from-discovery entity attribute. --> <!-- (Hiding an IdP from the discovery interface does NOT prevent --> <!-- the SP from accepting an assertion from the IdP.) --> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery"/> |
See the Shibboleth Metadata Config topic for a complete example that includes the above DiscoveryFilter
.