UK federation: transition from HideFromWAYF to entity category

Posted on Monday, 13 July 2015

An announcement was recently sent out to everyone listed as a technical or administrative contact for an entity registered with the UK Access Management Federation for Education and Research. Its purpose is to inform them of changes to the way in which the UK federation represents discoverability of identity providers in published metadata, and to outline the actions that they may want to take as a result.

Operators of systems that do not make use of the wayf:HideFromWAYF element in UK federation metadata can ignore this message.

Operators of systems that do make use of the wayf:HideFromWAYF elements in UK federation metadata, can begin transition to the new mechanism now in advance of the transition, currently planned for 19-Oct-2015.

Operators SHOULD ENSURE that the material below is reviewed by their technical staff as soon as possible, so that any appropriate reconfiguration can take place before the transition.

Identity Provider Discoverability Metadata

Entity metadata published by the UK federation has for many years included an optional indication that an identity provider should be "less discoverable". It looks like this:

    <wayf:HideFromWAYF/>

This was originally used only by the UK federation's Central Discovery Service (CDS) to exclude some identity providers from the list normally presented, so that for example pre-production or experimental identity providers are not available for selection unless the "Search over All Sites" option is used. It is also used by some service providers.

As described in the Federation Technical Specifications, the intention has always been to replace this metadata extension with a globally interoperable equivalent when one emerged. Since November 2014, UK federation metadata has therefore also included the Hide From Discovery Entity Category entity attribute, as described here:

https://refeds.org/category/hide-from-discovery

At the time of writing, these two mechanisms operate in synchrony within the UK federation's production metadata aggregate.

The old HideFromWAYF indicator was removed from the UK federation's test aggregate in December 2014. The HideFromWAYF indicator will be removed from the UK federation production metadata aggregate on Monday, 19-Oct-2015, leaving only the new, internationally interoperable, Hide From Discovery entity category in use.

If your systems make use of HideFromWAYF, you must update them to use the new entity category. For example, with the Shibboleth Service Provider v2.5 or later, a DiscoveryFilter can be added to exclude "hidden" identity providers from an accompanying Embedded Discovery Service (EDS):

  <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
    attributeName="http://macedir.org/entity-category"
    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    attributeValue="http://refeds.org/category/hide-from-discovery" />

More details can be found on the following pages:

http://www.ukfederation.org.uk/content/Documents/Setup2SP#hide-from-discovery

or http://tinyurl.com/nhrfzaj

https://wiki.shibboleth.net/confluence/x/tYBC

Please contact the UK federation helpdesk on service at ukfederation.org.uk if you have any additional questions about this update.

Edited by SteveGlover on 13 July 2015, at 02:27 PM