By Mikkel Hald, 03/09/20
The metadata of an identity federation is the authorised catalogue of authentication systems and restricted online resources participating in the federation and exchanging digital identities through it. Traditionally, federation metadata is distributed to participant systems in one large XML file; this is the mechanism by which they are enabled to recognise and trust each other and communicate. Metadata is maintained by the federation's central authority, the ‘federation operator’, who signs the metadata file digitally.
However, in federations with many online resources and authentication systems, the metadata file can become so large that some of the participant systems have difficulty processing it. This is why the Metadata Query Protocol (‘MDQ’) has been invented — making it possible to retrieve federation metadata for just a single participant system, not just metadata about all participant systems in one large file. Using MDQ a system can confine itself to retrieving metadata about the typically quite few other systems with which it actually needs to exchange digital identities. Or, if the system does need to communicate with many other systems, it can confine itself to fetching and using metadata for each system only when the communication with the other system is relevant.
Systems participating in the WAYF federation by default only need metadata about WAYF's proxy server. But systems written for the competing ‘mesh’ federation architecture – where participant systems communicate directly instead of through a proxy – need metadata about specific resources and authentication systems participating in WAYF. This kind of system dominates the eduGAIN initiative, which interconnects the world's research and education identity federations. For instance, the University of Cambridge's authentication system in the British federation needs metadata specifically about the sciencedata.dk resource in WAYF if University users are to be able to access sciencedata.dk using their university accounts.
To be able to deliver metadata about particular participant systems, WAYF has now developed and launched an MDQ interface into its metadata registry. This consists of a simple REST request with the URL https://wayf.wayf.dk/MDQ/entity, where entity is an expression of the form hash/sp/hash (if the system for which metadata is requested is a restricted online resource, or service provider) or hash/idp/hash (if the system for which metadata is requested is an authentication system, or identity provider). The expression hash is the system's MDQ ID according to the directory on https://phph.wayf.dk: There, on top of each system's special tab, you will find its MDQ ID next to ‘MDQ:’. For instance, the URL for University of Southern Denmark's metadata is https://wayf.wayf.dk/MDQ/9330abb052/idp/9330abb052, while the URL for the sciencedata.dk resource's metadata is https://wayf.wayf.dk/MDQ/6a4e36e22e/sp/6a4e36e22e. When these URLs are called, WAYF metadata for the respective systems is returned — signed with the private key corresponding to the certificate published here.
When metadata about an institution's authentication system is desired, the institution's DNS domain, conveniently, can be used in place of its MDQ ID in the MDQ call: for instance, https://wayf.wayf.dk/MDQ/su.se/idp/su.se will return metadata for the University of Stockholm.