/
Filtering search results - indicating which IdP:s are supported

Filtering search results - indicating which IdP:s are supported

Owned by Zacharias Törnblom
Last updated: Feb 07, 2025
3 min read

The filtering functionality enables service providers that use SeamlessAccess’ Standard Mode to customize the list of IdPs (the list of entities) that is presented to their end-users in the IdP discovery (also known as “Where-Are-You-From” or WAYF).

This is done by creating a profile that contains filtering rules, transforming it into a JSON blob, publishing this blob to the federation metadata, and then referencing the profile name in the discovery service configuration.

Parameters avaliable to filter the discovery search results

The parameters avaliable to filter by are as follows:

<enumeration value="md_source"/>

<enumeration value="registrationAuthority"/>
<enumeration value="entity_category"/>
<enumeration value="entity_category_support"/>
<enumeration value="assurance_certification"/>

md_source

The value md_source is specific to SeamlessAccess. It is a reference to the name of the metadata feed. These can be used as filtering by referencing them exactly under the “md_source” value

eduGAIN
"file:///opt/pyff/metadata/eduGAIN.xml"

InCommon
"file:///opt/pyff/metadata/incommon.xml"

SWAMID
"file:///opt/pyff/metadata/swamid-registered.xml"

OpenAthens
"file:///opt/pyff/metadata/openathens.xml"

registrationAuthority, entity_category, entity_category_support and assurance_certification

These values can be used to filter out IdP:s that meet a certain search critera. These values are not specific to SeamlessAccess, and as such what they may contain can be found in the federation metadata.

Creating the profile and publishing to your identity federation

Set up the rules of your profile in JSON format, this could look something like

{ "profiles": { "sirtfi": { "entities": [ { "include": true, "match": "assurance_certification", "select": "https://refeds.org/sirtfi" } ], "strict": true } } }

 

This should then be minified to save space in XML
The result should look like this:

{"profiles":{"sirtfi":{"entities":[{"include":true,"match":"assurance_certification","select":"https://refeds.org/sirtfi "}],"strict":true}}}

 

This in turn should be Base64 encoded. The result would look something like this:

eyJwcm9maWxlcyI6eyJzaXJ0ZmkiOnsiZW50aXRpZXMiOlt7ImluY2x1ZGUiOnRydWUsIm1hdGNoIjoi YXNzdXJhbmNlX2NlcnRpZmljYXRpb24iLCJzZWxlY3QiOiJodHRwczovL3JlZmVkcy5vcmcvc2lydGZp In1dLCJzdHJpY3QiOiB0cnVlfX19

 

This is the Base64 encoded blob that you add to your metadata and publish to your federation.

<md:EntityDescriptor> <md:Extensions> <mdattr:EntityAttributes>    <samla:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="https://refeds.org/entity-selection-profile">     <samla:AttributeValue> eyJwcm9maWxlcyI6eyJzaXJ0ZmkiOnsiZW50aXRpZXMiOlt7ImluY2x1ZGUiOnRydWUsIm1hdGNoIjoi YXNzdXJhbmNlX2NlcnRpZmljYXRpb24iLCJzZWxlY3QiOiJodHRwczovL3JlZmVkcy5vcmcvc2lydGZp In1dLCJzdHJpY3QiOiB0cnVlfX19 </samla:AttributeValue>    </samla:Attribute>   </mdattr:EntityAttributes> </md:Extensions> <md:SPSSODescriptor> </md:SPSSODescriptor> <md:EntityDescriptor>

The metadata is updated every 30 minutes

Under normal cicrumstances SeamlessAccess updates the information from our metadata sources once every 30 minutes. This is done through aggregating and updating the new information.

For a service provider, this means an update made to the metadata of one of the sources SeamlessAccess use (for example, new filtering information) can be seen in the discovery service within an hour (30 minutes + few minutes for the information to be propegated to all corners of the service).

Using a profile with SeamlessAccess

To use a trust profile to pre-filter the results returned by the Discovery Service you have to add an entityID and trustProfile parameter to the URL of the discovery service configured into the SP software, this could look something like this for a Shibboleth SP:

<SessionInitiator type="Chaining" Location="/DS/some-profile-name" id="some-profile-name"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="SAMLDS" URL="https://your.discovery.service/ds/?trustProfile=some-profile-name"/> </SessionInitiator>

You would then construct the DiscoveryComponent as follows:

<script src="https://your.service/thiss.js"/> <div id="login"> </div> <script> window.onload = function() { thiss.DiscoveryComponent({ loginInitiatorURL: 'https://sp.example.com/Shibboleth.sso/DS/some-profile-name?target=/some-resource/', entityID: 'https://your.entity/ID', trustProfile: 'some-profile-name' }).render('#login'); }; </script>

Alternatively, without needing to use Shibboleth or modify its configuration, it is possible to use a trust profile setting “discoveryRequest” pointing to an instance of the Discovery Service provided by this package, and discoveryResponse to a different URL or callable to handle the discovery response.

<script src="https://your.service/thiss.js"/> <div id="login"> </div> <script> window.onload = function() { thiss.DiscoveryComponent({ discoveryRequest: 'https://your.service/ds/', discoveryResponse: 'https://sp.example.com/Shibboleth.sso/Login?target=/some-resource/', entityID: 'https://your.entity/ID', trustProfile: 'some-profile-name' }).render('#login'); }; </script>

REFEDS Entity Selection Profile - entity attributes

The REFEDS working group has developed a profile that can allow SPs to identify a set of IdPs, either by entityID or generically by registrationAuthority or entity attribute.

https://refeds.org/entity-selection-profile

the background work for this came out of the REFEDS working group with the same name, the documentation of which can be found here

https://wiki.refeds.org/display/GROUPS/Entity+Selection+Profile+entity+attribute

Related content