THIS PAGE IS UNDER CONSTRUCTION
The contents of this page is being built. Some things may be temporary, some statements are unchecked and may even be wrong, so it is best you stop here.
Intro
The main function of eduGAIN is to produce an aggregated metadata set containing entities from all participating federations. One of the key aspects is the quality of the resulting file. Before metadata from participating federations can be accepted it needs to pass a validation process. This page describes the rules applied during the validation and explains how the validator can be used directly to help federations in their metadata preparation process.
The validator checks both requirements and recommendations producing either errors or warnings. In the RFC 2119 wording, errors are a result of a MUST/REQUIRED clause violation while warnings come from violations of a SHOULD/RECOMMENDED.
While metadata without errors will be accepted as valid, the warning should also be taken seriously, citing from RFC 2119:
SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
Validation process
The validator is essentially built from two components:
- the Shibboleth MDA for detailed syntax validation and signature verification
- dedicated python code performing additional checks
Validator rules
In addition to syntax checking based on SAML specification the following conditions are checked. Click on the severity marker to see reasons for this rule.
3no validUntil attribute in EntitiesDescriptor elementErroreduGAIN Policy
| condition evaluated | severity | reason | |
|---|---|---|---|
| 1 | EntitiesDescriptor element SHOULD contain the ID attribute used in signature's ds:Reference | Warning | see [1] |
| 2 | validUntil attribute in EntitiesDescriptor element can not be converted to a time value | Error | SAMLv2; line 348 |
| 4 | validUntil attribute in EntitiesDescriptor element has time value in the past | Error | SAMLv2; line 316 |
| 5 | validUntil attribute in EntitiesDescriptor element has value later than 28 days | Error | eduGAIN Policy |
| 6 | cacheDuration attribute in EntitiesDescriptor element has value not between 1-6 hours | Warning | eduGAIN Policy |
| 7 | cacheDuration attribute in EntitiesDescriptor element does not contain a valid period | Warning | eduGAIN Policy |
| 8 | EntitiesDescriptor does not contain PublicationInfo | Warning | eduGAIN Policy |
| 9 | EntitiesDescriptor contains PublicationInfo with publisher value but neither creationInstant nor publicationID is given | Warning | eduGAIN Policy |
| 10 | EntitiesDescriptor contains PublicationInfo but no publisher value is given | Error | eduGAIN Policy |
| 11 | creationInstant attribute in PublicationInfo element has time value in the future | Warning | common sense |
| 12 | EntityDescriptor does not contain entityId attribute | Error | SAMLv2; line 371 |
| 13 | entityId attribute value contains spaces | Error | SAMLv2; line 1368??? |
| 14 | entityId attribute value does not start with one of the following values: http://, https://, urn: | Error | |
| 15 | EntityDescriptor does not contain mdrpi:RegistrationInfo element | Error | eduGAIN Policy |
| 16 | No Organization element | Warning | eduGAIN Policy |
| 17 | Some IdP entities do not have any signing certificate or a signing key is wrong | Error | |
| 18 | Some SP entities do not have any signing certificate | Warning | |
| 19 | Some SP entities have wrong certificate | Warning | |
| 20 | "Weak" certificate | Warning | |
| 21 | IDPSSODescriptor/SPSSODescriptor has no mdui:UIInfo with DisplayName and Description | Warning | eduGAIN Policy |
| 22 | IDPSSODescriptor/SPSSODescriptor has mdui:UIInfo but DisplayName or Description | Warning | eduGAIN Policy |
| 23 | SPSSODescriptor has no md:RequestedAttribute and R&S category is not declared | Warning | eduGAIN Policy |
| 24 | Empty element while checking: OrganizationName, OrganizationDisplayName, OrganizationURL, GivenName, SurName, EmailAddress, TelephoneNumber, IPHint, Domain, GeolocationHint | Warning | |
| 25 | GeolocationHint does not start with geo: | Warning | |
| 26 | Scope element declared but regexp attribute missing | Warning | |
| 27 | CoCo declared for SP but RequestedAttribute element not found or/and PolicyStatementURL missing | Warning | CoCo |
Explanations
- [1] This topic has been disussed in the fog list in the The joy of signing metadata - thread. According to SAMLv1 sec 3.1.2 a reference to the signed element is REQUIRED and this reference needs to be passed trough an explicit identifier attribute value. In particular the XML DSIG allowed approach with the refference in the format URI="" is not allowed within SAML. The warning given by the validator will be turned into an error once all eduGAIN federations are fixed.
References
- SAMLv2: https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
- SAMLv2rpi https://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.pdf
- eduGAIN Policy: https://technical.edugain.org/doc/eduGAIN_metadata_profile.pdf
- CoCo: https://wiki.refeds.org/download/attachments/1606124/GEANT_DP_CoCo_Entity_Category_ver1.2.pdf