Versions Compared

Version Old Version 4 New Version Current
Changes made by

Zacharias Törnblom

Zacharias Törnblom

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is done by creating a profile that contains filtering rules, transforming it into a JSON blob, publishing this blob to the federation metadata, and then referencing the profile name in the discovery service configuration.

Table of Contents
class
maxLevel6
minLevel1
maxLevel6
include
outlinefalse
indent
excludeREFEDS
styledefaultexcludeREFEDS
typelist
printabletrue
class

Parameters avaliable to filter the discovery search results

...

Code Block
languagexml
<md:EntityDescriptor>
 <md:Extensions>
  <mdattr:EntityAttributes>
   <samla:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="https://refeds.org/entity-selection-profile">
    <samla:AttributeValue>
eyJwcm9maWxlcyI6eyJzaXJ0ZmkiOnsiZW50aXRpZXMiOlt7ImluY2x1ZGUiOnRydWUsIm1hdGNoIjoi YXNzdXJhbmNlX2NlcnRpZmljYXRpb24iLCJzZWxlY3QiOiJodHRwczovL3JlZmVkcy5vcmcvc2lydGZp In1dLCJzdHJpY3QiOiB0cnVlfX19
    </samla:AttributeValue>
   </samla:Attribute>
  </mdattr:EntityAttributes>
…
 </md:Extensions>
 <md:SPSSODescriptor>
 …
 </md:SPSSODescriptor>
…
<md:EntityDescriptor>

The metadata is updated every 30 minutes

Under normal cicrumstances SeamlessAccess updates the information from our metadata sources once every 30 minutes. This is done through aggregating and updating the new information.

For a service provider, this means an update made to the metadata of one of the sources SeamlessAccess use (for example, new filtering information) can be seen in the discovery service within an hour (30 minutes + few minutes for the information to be propegated to all corners of the service).

Using a profile with SeamlessAccess

To use a trust profile to pre-filter the results returned by the DS Discovery Service you have to add an entityID and trustProfile parameter to the URL of the discovery service configured into the SP software, so this could look something like this for a Shibboleth SP:

Code Block
<SessionInitiator type="Chaining" Location="/DS/some-profile-name" id="some-profile-name">
   <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
   <SessionInitiator type="SAMLDS" URL="https://your.discovery.service/ds/?trustProfile=some-profile-name"/>
</SessionInitiator>

Then, you You would then construct the DiscoveryComponent as follows:

...

Alternatively, without needing to use shibboleth Shibboleth or modify its configuration, it is possible to use a trust profile setting discoveryRequest “discoveryRequest” pointing to an instance of the Discovery Service provided by this package, and discoveryResponse to a different URL or callable to handles handle the discovery response.

Code Block
<script src="https://your.service/thiss.js"/>
<div id="login"> </div>
<script>
    window.onload = function() {
       thiss.DiscoveryComponent({
           discoveryRequest: 'https://your.service/ds/',
           discoveryResponse: 'https://sp.example.com/Shibboleth.sso/Login?target=/some-resource/',
           entityID: 'https://your.entity/ID',
           trustProfile: 'some-profile-name'
       }).render('#login');
    };
</script>

...