...
A response from an IdP contains the KeyInfo identity of the IdP. We use this to locate the IdP's metadata and pass the entity ID in the environment variable Shib_Identity_Provider. Other attribute processing is similar to a normal SAML2 IP response.
Self-issued cards
(Not presently supported)
A self-issued card is identified by a unique RSA key modulus - the entity id is always the same.. We could collect these by some external mechanism and load them into a standard metadata file. However, the SP isn't coded to efficiently lookup peers by RSA key when there are many identical entity ids. Better might be an extension somewhat like the dynamic metadata generator, but one that would efficiently search a large list of RSA modulus dataA response from an IS personal card contains the a unique public key modulus and exponent. A hash of this information is passed in the environment variable Shib_Infocard_Key. Other card claims are passed similar to a normal SAML2 IP response.