A lot of things are happening right now, in metadata land.
I’ll try to include a lot of references for this article, letting it be a reference point for all the cool stuff that is going on in metadata land.
Let’s start with the SAML 2.0 Metadata standard:
A really important extension is the Entity Attributes extension, which allows for generic key value pairs associated with entities.
A useful document is published on how to embed keys, and some other restrictions on the use of metadata, to enhance interoperability. This is referred to from in.e. saml2int.
An important component in a many-to-many federation, is the IdP Discovery Service. Important here is the IdP Discovery Protocol:
An increasingly important component in cross-federation architectures are the central metadata aggregator. Right now, there are no well-defined fully distributed alternatives, at least that I am aware of, that could help us get rid of this central component that decreases security and reliability. We are working with alternatives in the Identity Federations and ideas are welcome…
One of the first major problems with a central metadata component that will hit the surface is the scalability problem related to a big XML document getting bigger; that needs to be signed and distributed often to an increasingly number of participants.
To deal with that the MDX protocol is making its way into being a standard. SWITCH/Chad is taking it through IETF, for a change. The MDX protocol is simply a specified way of making a set of entities available over REST, asking for an entity ID as a query string parameter. Simple and elegant – good stuff!
When an aggregator is processing and redistributing metadata, it is necessary to provide some extra information about where the metadata comes from, when and under which policy. This is handled in the SAML Metadata Document and Registration Information Extension. The extension also include some missing parts from the SAML 2.0 Metadata, such as a serial number. I’d call this metametadata.
The stuff if SAML 2.0 metadata is not exactly the best material to provide a good user experience on a IdP Discovery Service. It’s mostly targeted on machines and not humans. The IdP Discovery and Login UI Metadata Extension Profile includes several attributes associated with SAML entities, that allows for a richer more user-friendly experience when selecting IdP. Information includes such things as name, logo, privacy statement, geo-location.
What is really really a pity though, is that this extension is not making use of Metadata Entity Attributes (mentioned above), but is instead relying on yet another extension schema.
Paul Madsen notified me about the Identity Assurance Profiles which also might play an important role. This profile, actually make use of Metadata Entity Attributes 🙂