Matadata aggregator , federation named groupID for filters

Ian Young ian at iay.org.uk
Thu Jun 17 08:43:04 UTC 2021 


> On 2021-06-16, at 17:05, Jehan PROCACCIA <jehan.procaccia at tem-tsp.eu> wrote:
> 
> Hello,
> I've been using for a long time this tool :
> https://wiki.shibboleth.net/confluence/display/MA1
> to aggregate metadatas in my federation (an old 0.7 version ...)

I'm sure 0.7 is working great for you, but it's been a long time since it was obsoleted (by 0.8.0 in 2013) and you should really migrate to the latest version if you can. It's not that any of the code will stop working so much as it's impossible to support something that is that far in the rear-view mirror.


> but I cannot find a way to tell it to "name" the aggregated metadata so that this name can be used ultimately as a groupID  in attribute-filters as in 
> <PolicyRequirementRule xsi:type="InEntityGroup" groupID="https://federation.renater.fr/test/"/>
> 
> is MA1 capable to name aggregate ?

If you're using the EntitiesDescriptorAssemblerStage to assemble your aggregate, its descriptorName property (stage.setDescriptorName() method) allows you to set the Name attribute. I _think_ that was present in 0.7, but that version is not supported in any way.

If you're assembling your aggregate in some other way, you could probably use an XSLT stage. Again, I _think_ that was available in the version you're using.

Having said which, you probably want to be wary of relying on the EntitiesDescriptor/@Name as a group name, as it's obviously not applicable in any situation in which the aggregate isn't available, e.g. in an MDQ-style per-entity world.


> Regarding aggregate name convention, I see in Incommon Metadata this named for example
> ID="INC20210616T153332" Name="urn:mace:incommon" validUntil="2021-06-30T15:33:32Z"
> 
> and here in France (Renater) has
> Name="https://federation.renater.fr/test/" ID="_20210616T150017Z" validUntil="2021-06-25T15:00:17Z" cacheDuration="PT1H"
> 
> does the name has to be a URL and / or a URN ?


The specification just says "A string name that identifies a group of SAML entities in the context of some deployment." So there are really no standards-imposed constraints here. Most federations have used a URI of some form, and each federation that uses Name has chosen something they thought was sensible. It's often the same as the registrar URI given on individual entities, which is the modern replacement for this scheme and works just fine in a per-entity world.

In the UK federation, for example (highly edited):

<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor ID="_" Name="http://ukfederation.org.uk" cacheDuration="PT6H0M0.000S" validUntil="2021-07-06T00:00:00Z">
    <Extensions>
        <mdrpi:PublicationInfo creationInstant="2021-06-15T00:00:00Z" publisher="http://ukfederation.org.uk"/>
    </Extensions>

<EntityDescriptor entityID="https://idp2.iay.org.uk/idp/shibboleth">
    <Extensions>
        <shibmd:Scope regexp="false">iay.org.uk</shibmd:Scope>

        <mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk" registrationInstant="2007-03-30T16:36:00Z">
            <mdrpi:RegistrationPolicy xml:lang="en">http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
        </mdrpi:RegistrationInfo>

Cheers,

    -- Ian




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20210617/a23eca39/attachment.p7s>

More information about the users mailing list