The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Type of Relying Parties

In nearly all cases an IdP communicates with a service provider. However, in some more advanced cases an IdP may communicate with other entities (like other IdPs). The IdP configuration uses the generic term relying party to describe any peer with which is communicates A service provider, then, is simply the most common type of relying party.

The IdP recognizes three classifications of relying parties:

  • anonymous - a relying party for which the IdP has no metadata
  • default - relying party for which the IdP does have metadata but for which there is no specific configuration
  • specified - relying party for which the IdP has metadata and a specific configuration

Whether a relying party is authenticated to the IdP is irrelevant to the decision about which category a belongs in.

The configuration for each type of relying party is given by their respective configuration elements: <AnonymousRelyingParty>, <DefaultRelyingParty>, and <RelyingParty>.

 

metadata

specific configuration

configuration elements

anonymous

NO

NO

<AnonymousRelyingParty>

default

YES

NO

<DefaultRelyingParty>

specified

YES

YES

<RelyingParty>

Metadata and Relying Parties

The IdP uses metadata to help determine how to communicate with an relying party (e.g. what keys to use, whether certain information needs to be digitally signed, which protocols are support). A relying party for the IdP may be any entity, identified by the <EntityDescriptor> element within metadata. Entities may be grouped within an <EntitiesDescriptor> element and this group may be given a name. Entity groups may be nested.

Skeleton example of Entities and Entity Grouping
<EntitiesDescriptor Name="AllEntities">

  <EntitiesDescriptor Name="EntityGroup1">
    <EntityDescriptor entityID="urn:example.org:sp1">
       <SPSSODescriptor />
    </EntityDescriptor>
  </EntitiesDescriptor>

  <EntitiesDescriptor Name="EntityGroup2">
    <EntityDescriptor entityID="urn:example.org:sp2">
       <SPSSODescriptor />
    </EntityDescriptor>
    <EntityDescriptor entityID="urn:example.org:sp3">
       <SPSSODescriptor />
    </EntityDescriptor>
  </EntitiesDescriptor>

  <EntityDescriptor entityID="urn:example.org:sp4">
      <SPSSODescriptor />
  </EntityDescriptor>

</EntitiesDescriptor>

When creating a specified relying party configuration you may specify either a specific entity, as identified by the entityID attribute on the <EntityDescriptor> element, or a group of entities, identified by the name attribute on the <EntitiesDescriptor> element. In that event that there is overlap the most specific configuration is used. For example if a specified relying party configuration is given for urn:example.org:sp3 and another for AllEntities then the former is used for SP3 while the latter is used for SP 1 and 2. No configuration information is ever "inherited" in these overlapping cases.

  • No labels