...
- Draft 0.1 is our first working document.
- Draft 0.2 will define the entity attribute as a Base64-encoded JSON data structure, and a few general rulesdefine semantics of a core set of names within that data structure. It is intended that this version will allow federation operators to test the entity attribute.
- Subsequent 0.x drafts will define the contents of the entity attribute and add composition rules.
- All draft versions of the specification will be hosted in the REFEDS wiki. The wiki has versioning enabled, which allows specific drafts to have stable references.
- During community consultation, we will generate a PDF with line numbers to help people wishing to offer feedback.
- Version 1.0 is anticipated to be the first fully-specified profile, and will be hosted . It will be produced as a PDF and recorded on zenodo.org. For easier access, a web friendly version will be published on the refeds website at at https://refeds.org/entity-selection-profile.
...
- The entity attribute is found in
md:EntityDescriptor/md:Extensions/mdattr:EntityAttributes
. We recognise that the Entity Attributes specification allowsmd:EntitiesDescriptor/md:Extensions/md:EntityAttributes
elements, but we rule them out for operational and conceptual reasons. - There is only one instance of an Entity Selection Profile entity attribute in an entity. Behaviour when more than one is present is not defined by this profile.
- Composition with other sources of filtering (such as SeamlessAccess button) is not defined by this profile
- The value of the entity attribute is a base64 encoded stringJSON data structure that has been Base64 encoded
- Any whitespace padding before, after or after internal to the value must be ignored
...
The expected consumer of the entity attribute is a discovery service. Federation operators and entity operators are not expected to decode the value.
Semantics of the unencoded decoded value are defined by the metadata consumer. Contents may be anything allowed by the configured discovery service, such as:
- The name of a profile defined by the discovery service
- A URL for where to fetch a detailed profile from
- Some XML which defines filtering rules and is interpreted by the discovery service
- Some JSON which defines filtering rules and is interpreted by the discovery service
We recommend that null values, incorrectly encoded values or other errors are treated as if there was no filtering, not that the whole entity metadata is invalid.
...
- Any entity that has a SP role can register this entity attribute
Examples
This example
...
has an entity attribute with no value
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue />
</saml:Attribute>
</mdattr:EntityAttributes>
This example contains
...
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue></saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
This example contains a space
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue> </saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
...
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue>*</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
This example contains
...
The filtering rule is hello world
This example contains a base64-encoded URL
...
The filtering rule is https://example.ac.uk/entity-selection-profile/profile1
This example contains XML which explicitly defines the filtering rules
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue>PHRpOlRydXN0SW5mbyB4bWxuczp0aT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6bWV0YWRhdGE6dHJ1c3RpbmZvIj4KICAgPHRpOlRydXN0UHJvZmlsZSBuYW1lPSJjdXN0b21lciIgc3RyaWN0PSJ0cnVlIj4KICAgICA8dGk6RmFsbGJhY2tIYW5kbGVyPmh0dHBzOi8vd3d3LmV4YW1wbGUub3JnL2Fib3V0PC9GYWxsYmFja0hhbmRsZXI+CiAgICAgPHRpOlRydXN0ZWRFbnRpdGllcyBtYXRjaD0icmVnaXN0cmF0aW9uQXV0aG9yaXR5Ii8+ZXhhbXBsZS5jb208L3RpOlRydXN0ZWRFbnRpdGllcz4KICAgPC90aTpUcnVzdFByb2ZpbGU+CjwvdGk6VHJ1c3RJbmZvPgo=</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
The filtering rule is:
<ti:TrustInfo xmlns:ti="urn:oasis:names:tc:SAML:metadata:trustinfo">
<ti:TrustProfile name="customer" strict="true">
<ti:FallbackHandler>https://www.example.org/about</FallbackHandler>
<ti:TrustedEntities match="registrationAuthority"/>example.com</ti:TrustedEntities>
</ti:TrustProfile>
</ti:TrustInfo>
...
JSON which explicitly defines the filtering rule
<mdattr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://refeds.org/entity-selection-profile">
<saml:AttributeValue>eyJwcm9maWxlcyI6eyJzd2FtaWQtb25seSI6eyJzdHJpY3QiOnRydWUsImVudGl0aWVzIjpbeyJzZWxlY3QiOiJodHRwOi8vd3d3LnN3YW1pZC5zZS8iLCJtYXRjaCI6InJlZ2lzdHJhdGlvbkF1dGhvcml0eSIsImluY2x1ZGUiOnRydWV9XX0sInN3YW1pZC1lZHVnYWluIjp7InN0cmljdCI6dHJ1ZSwiZW50aXRpZXMiOlt7InNlbGVjdCI6ImZpbGU6Ly8vb3B0L3B5ZmYvbWV0YWRhdGEvb3BlbmF0aGVucy54bWwiLCJtYXRjaCI6Im1kX3NvdXJjZSIsImluY2x1ZGUiOmZhbHNlfV19fX0=</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
...
- SAM2Meta: OASIS Standard, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. March 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf.
- MetaAttr: SAML V2.0 Metadata Extension for Entity Attributes Version 1.0. Edited by Scott Cantor. 4 August 2009. OASIS Committee Specification. http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cs-01.pdf.
- base64Base64: The Base16, Base32, and Base64 Data Encodings. RFC 4648. https://datatracker.ietf.org/doc/html/rfc4648