Versions Compared

Old Version 11

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version 12

changes.mady.by.user Nicole Harris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

REFEDS Entity Category: Hide From Discovery

...

v1

History:

v0.1 Initial Draft for comment and consultation.
v0.2 With changes as approved by the REFEDS SC.  

THIS IS CURRENTLY A DRAFT PROPOSAL ENTITY CATEGORY AND IS NOT IN PRODUCTION USE.

Overview

The '''Hide From Discovery''' entity category is a category of Identity Providers that are intended not to be shown on discovery interfaces by default.

1.Definition

...


v1. Published.

The Hide from Discovery Entity Category is now a published category.  The category can be found on the REFEDS website and text from the website should be used as the authoritative source: https://

  • An IdP may not be a production IdP and as such is not ready to be accessed by the general population of end users.
  • An IdP may have a display name similar to another IdP (e.g., "Example University (test)" vs. "Example University") and therefore user experience would be improved if one of the IdPs was not shown on the discovery interface
  • Access to an IdP might be limited to certain network ranges (e.g., management networks for the Identity Provider's staff) and therefore user experience would suffer if such an entity were selected from outside that network range.
  • An IdP may be experiencing an extended period of technical difficulties, during which time the registrar might choose to tag the IdP with the ''Hide From Discovery'' entity attribute.

2.  Syntax

...

3.  Semantics

A member of the ''Hide From Discovery'' entity category is an IdP that is intended not to be shown on discovery interfaces. Deployers of discovery services SHOULD hide such an IdP on its discovery interface.

4.  Registration Criteria

...

5.  Examples

An example of the ''Hide From Discovery'' entity attribute for an IdP:
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://institution.example.com/idp">
   <Extensions xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
     <mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
       <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue>http://refeds.org/category/hide-from-discovery</saml:AttributeValue>
       </saml:Attribute>
     </mdattr:EntityAttributes>
   </Extensions>
   ...
 </EntityDescriptor>

6.  Security Considerations

Hiding an IdP from discovery interfaces does not imply that Service Providers (SPs) do not accept assertions from the IdP.