Type of Relying Parties
In nearly all cases an IdP communicates with a service provider. However, in some more advanced cases an IdP may communicate with other entities (like other IdPs). The IdP configuration uses the generic term relying party to describe any peer with which is communicates A service provider, then, is simply the most common type of relying party.
The IdP recognizes three classifications of relying parties:
- anonymous - a relying party for which the IdP has no metadata
- default - relying party for which the IdP does have metadata but for which there is no specific configuration
- specified - relying party for which the IdP has metadata and a specific configuration
Whether a relying party is authenticated to the IdP is irrelevant to the decision about which category a belongs in.
The configuration for each type of relying party is given by their respective configuration elements: <AnonymousRelyingParty>
, <DefaultRelyingParty>
, and <RelyingParty>
.
|
metadata |
specific configuration |
configuration elements |
---|---|---|---|
anonymous |
NO |
NO |
|
default |
YES |
NO |
|
specified |
YES |
YES |
|
Metadata and Relying Parties
The IdP uses metadata to help determine how to communicate with an relying party (e.g. what keys to use, whether certain information needs to be digitally signed, which protocols are support). A relying party for the IdP may be any entity, identified by the <EntityDescriptor>
element within metadata. Entities may be grouped within an <EntitiesDescriptor>
element and this group may be given a name. Entity groups may be nested.
<EntitiesDescriptor Name="AllEntities"> <EntitiesDescriptor Name="EntityGroup1"> <EntityDescriptor entityID="urn:example.org:sp1"> <SPSSODescriptor /> </EntityDescriptor> </EntitiesDescriptor> <EntitiesDescriptor Name="EntityGroup2"> <EntityDescriptor entityID="urn:example.org:sp2"> <SPSSODescriptor /> </EntityDescriptor> <EntityDescriptor entityID="urn:example.org:sp3"> <SPSSODescriptor /> </EntityDescriptor> </EntitiesDescriptor> <EntityDescriptor entityID="urn:example.org:sp4"> <SPSSODescriptor /> </EntityDescriptor> </EntitiesDescriptor>
When creating a specified relying party configuration you may specify either a specific entity, as identified by the entityID
attribute on the <EntityDescriptor>
element, or a group of entities, identified by the name
attribute on the <EntitiesDescriptor>
element. In that event that there is overlap the most specific configuration is used. For example if a specified relying party configuration is given for urn:example.org:sp3 and another for AllEntities then the former is used for SP3 while the latter is used for SP 1 and 2. No configuration information is ever "inherited" in these overlapping cases.