...
Building on earlier work from SeamlessAccess, we are developing a profile that can allow SPs to identify a set of IdPs, either by entityID or generically by registrationAuthority or entity attribute. They coined the term “trustinfo” although we’re realising it’s actually an entity selection profile.
The first step is to define an entity attribute as a container for transporting selection rules and profiles. This step focusses on the current SAML environment.
There is supporting material in the REFEDS wiki on the Working Group page [WG]
...
- The entity attribute is found in
md:EntityDescriptor/md:Extensions/mdattr:EntityAttributes. We recognise that the Entity Attributes specification allowsmd:EntitiesDescriptor/md:Extensions/md:EntityAttributeselements, but we rule them out for operational and conceptual reasons. - There is only one instance of an Entity Selection Profile entity attribute in an entity. Behaviour when more than one is present is not defined by this profile.
- Composition with other sources of filtering (such as SeamlessAccess button) is not defined by this profile
- The value of the entity attribute is a JSON data structure that has been Base64 encoded [Base64]
- Any whitespace before, after or internal to the value must be ignored
...
- Any entity that has a SP role can register this entity attribute
Examples
This example contains JSON which explicitly defines profiles for filtering in SeamlessAccess
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue>
eyJwcm9maWxlcyI6eyJzd2FtaWQtb25seSI6eyJzdHJpY3QiOnRydWUsImVudGl0aWVzIjpbeyJzZWxl
Y3QiOiJodHRwOi8vd3d3LnN3YW1pZC5zZS8iLCJtYXRjaCI6InJlZ2lzdHJhdGlvbkF1dGhvcml0eSIs
ImluY2x1ZGUiOnRydWV9XX0sImVkdWdhaW4iOnsiZW50aXRpZXMiOlt7ImluY2x1ZGUiOmZhbHNlLCJt
YXRjaCI6InJlZ2lzdHJhdGlvbkF1dGhvcml0eSIsInNlbGVjdCI6Imh0dHBzOi8vb3BlbmF0aGVucy5u
ZXQifV0sInN0cmljdCI6IHRydWV9fX0=
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
...