Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Document allowRA and denyRA, but behind a cut to avoid confusing people.

...

Creating the filter using the DSX DS Filter Generator

The filter is generated a base64 encoded JSON object that defines the rules for including or excluding IdPs. The easiest way to generate this is by using DSX Filter Generator.

...

The filter generator can create two types of filters, you may filter entities based on their SAML entity categories or based on IdP entityID values (or both).

Allow and Deny lists of Entity Categories

...

where contents of www.example.com/filter would be a plain text document containing the filter, for example:

Code Block
eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==

...

Expand
titleExample: SimpleSAMLphp


Code Block
titleauthsources.php
'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://dsx.edugain.org/wayf.php?efilter=www.example.com/filter',
    'privatekey' => 'example.key'
),


More complex filters

The filter language supports scenarios that are not currently covered by the filter generator, but that can be manually constructed. Similarly, it is possible to programmatically generate your own filters by referencing a script hosted at the efilter  location.  In both cases, you create a filter by generating an appropriate JSON object and then base64 encoding it.

A good starting point is to get the filter as close as possible to your needs using the filter generator at https://dsx.edugain.org/filter (e.g. honouring hide-from-discovery). You can then take the resulting JSON object show as the "Human readable form of filter" and further customise it further to your needs.


Expand
titleExample: Registration Authority

It is possible to filter IdPs by their registration authority (the federation that they come from). This may be useful when you want to list only the IdPs from a specific subset of eduGAIN that are not already identified by an entity category (for instance, only from certain countries).

The registration authority is usually specified as a URL identifying the federation operator. You can determine the correct one either from the federation's entry on the eduGAIN technical site or by examining metadata for the <mdrpi:RegistrationInfo registrationAuthority=""> element.

For instance, the South African Identity Federation uses a registration authority of https://safire.ac.za. To list only IdPs from this federation, you'd need to generate a JSON filter object like this:

Code Block
{"ver":"2","allowFeeds":{"eduGAIN":{"allowRA":["https://safire.ac.za"],"denyEC":["http://refeds.org/category/hide-from-discovery"]}}}

which would then be base64 encoded to produce a filter:

Code Block
eyJ2ZXIiOiIyIiwiYWxsb3dGZWVkcyI6eyJlZHVHQUlOIjp7ImFsbG93UkEiOlsiaHR0cHM6Ly9zYWZpcmUuYWMuemEiXSwiZGVueUVDIjpbImh0dHA6Ly9yZWZlZHMub3JnL2NhdGVnb3J5L2hpZGUtZnJvbS1kaXNjb3ZlcnkiXX19fQ==


You can also remove IdPs from a specific federation in a similar way, by using the denyRA keyword.