As of the 1.3.1 release, the Shibboleth Identity Provider is capable of denying requests sent from Service Providers for which no metadata can be found.

Why would you enable this?

Even with very constrained Attribute Release Policies, an unknown SP will normally still receive an authentication assertion from an IdP. Depending on what NameIdentifier your IdP is configured to use, this could inadvertently release user data to unknown parties.

Configuration

Release of assertions to Unknown/Anonymous providers is enabled by populating the following attribute of the <IdPConfig> element of idp.xml:

<IdPConfig ... allowAnonymousProviders="false" ... >

When a request is received from an unknown provider, the standard Shibboleth error page is displayed with the error message "Unknown service provider." This attribute defaults to "true", which is consistent with previous IdP behavior.

Shibboleth 1.1 Compatibility

A side-effect of enabling this feature is that your IdP will no longer be compatible with any Shibboleth 1.1 SPs. Bug or feature... you decide. Shibboleth 2.0 will not interoperate with Shibboleth 1.1, so this can be used to help prepare for that.

Browser not supported