Adding an entity attribute to every entity from a provider

Wessel, Keith kwessel at
Thu Apr 18 12:00:28 EDT 2019

Thanks, Ian, but that only helps partially. We have a default attribute release policy that applies to any SP from InCommon and any other eduGAIN-exported entity. If I use the items you mentioned below, I'm able to identify if the entity was registered by InCommon. But how can I tell if it was imported by InCommon but registered by another federation and exported?

If I use Scott's approach in my attribute resolver of the absence of elements to determine that the item came from our MDQ provider, I have to maintain entity group or similar attributes for my other providers. This isn't a problem for SPs in our local file-based providers. And I can even make it work for our multi-campus I-Trust federation with minimal effort. But if another source gets added in the future, I have to continue to maintain this exclude list. It seems cleaner to me to just flag each entity retrieved from MDQ as being from the InCommon MDQ provider source.

Alternatively, if InCommon wants to add a new entity attribute to every imported eduGAIN entity saying that it was imported from eduGAIN, I can leverage registered-by-incommon or imported-from-edugain as indicators.


From: users <users-bounces at> On Behalf Of Ian Young
Sent: Wednesday, April 17, 2019 8:26 AM
To: Shib Users <users at>
Subject: Re: Adding an entity attribute to every entity from a provider

On 16 Apr 2019, at 22:46, Wessel, Keith <kwessel at<mailto:kwessel at>> wrote:

I want to add an entity attribute to every entity from the InCommon MDQ preview to know that it came from InCommon or eduGAIN.

You should find that every entity you access via the MDQ preview already includes a couple of different metadata elements that are relevant:


    <mdrpi:RegistrationInfo xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" registrationAuthority=""/>

    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">

      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">





The first is the EntityDescriptor/Extensions/RegistrationInfo/@registrationAuthority. Anything "from" (i.e., registered by) InCommon will have one registrationAuthority value, and anything "from" eduGAIN would have some other value, but the specific value will differ depending on which original registrar was involved.

The other thing you can see in the above example is that there's already an entity attribute which specifically indicates that an entity was registered by InCommon, which sounds like exactly what you want. To a first approximation, certainly right now, if that's missing then the metadata is "from" eduGAIN.

    -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list