By default eduTEAMS Discovery Service lists all eduGAIN IdPs for user to select from. This is not always desirable and eduTEAMS Discovery Service offers possibility to filter out IdPs. This allows SP admin to craft a list (or several lists) specifically targeting the user base of the SP.

Creating the filter - eduTEAMS Filter Generator

The filter is generated using eduTEAMS Filter Generator.

The filter consists of two filtering types.

Allow and Deny lists of entity categories

You may create both allow and deny lists of entity categories.

• If allow list is defined, all IdPs not matching atleast one of the categories on it are filtered out.
• If deny list is defined, all IdPs matching any of the categories on it are filtered out.

Allow or Deny list of IdPs

You may create allow or deny list of IdPs.

• If allow list is defined, all IdPs not on it are filtered out.
• If deny list is defined, all IdPs on it are filtered out.
  

 Example: Research and Scholarship, Allow list of entity categories

This example shows how to show only IdPs tagged with Research and Scholarship entity category.

Navigate to filter generator, https://discovery.eduteams.org/filter.php.

Click open the 'select entity categories' - accordion. You should now see all the possible entity categories to choose from in a grey box.

Move http://refeds.org/category/research-and-scholarship to green box. Move also http://id.incommon.org/category/research-and-scholarship.

At the bottom of the page you should see the resulting filter and it's plaintext version.

Outcome

Show only IdPs having atleast one of the categories http://refeds.org/category/research-and-scholarship and http://id.incommon.org/category/research-and-scholarship.

 Example: Allow list of IdPs

This example shows how to select a specific set of IdPs.

Navigate to filter generator, https://discovery.eduteams.org/filter.php.

Click open the 'select individual IdPs' - accordion. You should now see all the possible IdPs to select from.

Make sure that the radio - button 'Selected IdPs will be visible' is checked. Select the entities you want the user to pick the IdP from.

At the bottom of the page you should see the resulting filter and it's plaintext version. Note that by picking individual IdPs you will easily end up with a large filter and you need to set it by reference.

Outcome

Show only IdPs https://idp.aalto.fi/idp/shibboleth, https://birk.wayf.dk/birk.php/wayf.au.dk and https://shibboleth.aber.ac.uk/shibboleth-TST.

Applying the filter in discovery request

The filter generated with the tool is set as query string parameter to discovery request.  It can be set either by value or by reference. The maximum length for discovery request query parameters is 512 bytes. If the filter is large exceeding that value tyou should set the filter by reference.

Filter by value - filter

https://discovery.eduteams.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==

<SSO
    discoveryProtocol="SAMLDS"
    discoveryURL="https://discovery.eduteams.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==">
    SAML2 SAML1
</SSO>

'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://discovery.eduteams.org/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==',
    'privatekey' => 'example.key'
),

Filter by reference - efilter

https://discovery.eduteams.org/wayf.php?efilter=www.example.com/filter

where contents of www.example.com/filter would be

eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==

<SSO
    discoveryProtocol="SAMLDS"
    discoveryURL="https://discovery.eduteams.org/wayf.php?efilter=www.example.com/filter">
    SAML2 SAML1
</SSO>

'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://discovery.eduteams.org/wayf.php?efilter=www.example.com/filter',
    'privatekey' => 'example.key'
),