Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


InCommon Introduces Per-Entity Metadata Technology Preview

Apr 01, 2019, by Nicholas Roy
Tags: InCommon, Recent Posts, Trust & Identity

On Monday, March 11, InCommon introduced a technology preview of its new per-entity metadata (MDQ) service. This preview is intended to allow early adopters to take advantage of the benefits, primarily, reduced memory footprint for their Identity Providers (IdPs) and Service Providers (SPs). These benefits are introduced by this new way of distributing metadata, which is much more like a DNS query than the previous method of distributing and consuming metadata, which was like downloading an enormous hosts file every day. 

We plan to go live with the production per-entity metadata service in June 2019, and will work to migrate all users of the legacy InCommon metadata service to this new service over a period of six months to a year.

The target audience for the technology preview was selected by analyzing users of the longstanding InCommon MDQ beta service, and adding to the list additional organizations which had volunteered to participate.

Participation in this technology preview requires the adopting organizations to give feedback on the service to InCommon, so that we can improve it ahead of the production release. As part of the MDQ service, aggregates will continue to be available so you can continue to consume metadata if your software doesn’t support MDQ.

InCommon has used a DevOps approach to build out the service infrastructure in our cloud platform, Amazon Web Services. The updated metadata publication pipeline in use in the MDQ service is illustrated below:

Image displaying a visualization of Grouper

Click on image to view a larger version

A recording of an IAM Online webinar on this platform is available. Background information on the motivations for the service as well as requirements is available in a blog post from January.

The technology preview, and the production MDQ service, both use new metadata signing keys, and are built on top of Amazon Web Services cloud infrastructure. The infrastructure incorporates an Amazon Hardware Security Module, a Docker container which performs metadata signing and publication, AWS Lambda functions which provide logic that supports the MDQ protocol, and Amazon’s CloudFront content distribution network (CDN).

The CDN allows us to replicate and distribute metadata seamlessly from many points around the globe. We are excited about this milestone in delivering this critical service improvement, and look forward to communicating with the larger InCommon community as we near release of the production service. In the meantime, if you are interested in using the technology preview, please send a request to