Hi Angus,
> I am using the UK Federation configuration given at
> http://www.ukfederation.org.uk/content/Documents/Setup2SP along with the
> embedded discovery service. There is a huge list of possible IDPs to
> use and I would like to shorten the list so that it is similar to the
> one offered by the UK federation WAYF service. Is there a way to achieve
> this?
Indeed there is.
The MetadataProvider stanza in your shibboleth2.xml probably looks
something like this:
<MetadataProvider type="XML"
uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
backingFilePath="/etc/shibboleth/ukfederation-metadata.xml"
reloadInterval="14400">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
<SignatureMetadataFilter certificate="ukfederation.pem"/>
</MetadataProvider>
There are two changes you can make here that will improve usability of
your EDS.
The first is to add a filter so that you can chuck away the
pre-production or experimental IdPs whose operators have asked us to
mark them with the "hide-from-discovery" tag
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"
trimTags="true" />
(This facility was added in Shibboleth SP 2.5)
We've updated the Setup2SP page at
http://www.ukfederation.org.uk/content/Documents/Setup2SP
to include this, and there is further information at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider#NativeSPMetadataProvider-DiscoveryFilter
(actually, if you follow the "EntityMatcher" link to
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPEntityMatcher
there's some detail on how to filter on other attributes)
As to the second change, you've probably noticed that some IdPs show up
by entityID rather than by display name - this is because the default
behaviour of the EDS is to pick up the display name from the MDUI
extensions - and not all IdP operators have added these. So there's a
tag to let you pick up the OrganizationDisplayName
legacyOrgNames="true"
(If any operators of IdPs in the UK federation are reading this, please
consider asking us to add MDUI info to your metadata
http://www.ukfederation.org.uk/content/Documents/MDUIRecommendations
as it makes your IdP that little bit easier to find)
Anyway, putting both these changes into MetadataProvider stanza gives
you this:
<MetadataProvider type="XML"
uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
legacyOrgNames="true"
backingFilePath="/etc/shibboleth/ukfederation-metadata.xml"
reloadInterval="14400">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"
trimTags="true" />
<SignatureMetadataFilter certificate="ukfederation.pem"/>
</MetadataProvider>
and on restarting your SP, all those extra IdPs will be gone from your EDS.
Hoping that this is useful.
Steve Glover, UK federation support
> Thank you,
>
> Angus Maidment
>
> Scientific Computing Department R18 G46
>
> Science and Technology Facilities Council
>
> Rutherford Appleton Laboratory
>
> Harwell Science and Innovation Campus
>
> OX11 0QX
>
> Tel: (01235) 77 8337
>
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|