List of things that we expect of SAML federations in eduGAIN.  I've left out the Attribute profile document for now as the plan is to scrap this and instead refer to processes for attribute release management (e.g. entity categories and more general recommendations) as a recommended best practice rather than giving a list of attributes.

We also need to work on consolidating the sets of instructions we have for "joining" eduGAIN.  At the moment there is:

WhatStatusCurrently described?Validation CheckComments

Metadata Signing

  • URL to your metadata and a signing certificate which enures that the metadata is genuine. Please send the URL to the Operations Team.
  • For signing its metadata metadata producer MUST use an RSA private key of at least 2048 bits.
mandatory


optional

Joining checklist



Metadata Profile

https://validator.edugain.org/

Should become part of SAML participation checklist.

 

Is it possible to define a level for when new federations start to partcipate and when a federation do a key rollover. And then set an end date for a lower level of encryption? (from Pål)

 

Add something here about acceptable methods for validating the key with the edugain Op?

Website

  • Provide a URL pointing to the main (English if exists) page of your Federation.
mandatory

Joining checklist

no requirement in Constitution

https://technical.edugain.org/status 

Policy Documents

  • MRPS: Provide a URL pointing to the English version of Metadata Registration practice statement for your federation. This document shall describe rules and procedures used for registering entities which get exposed to interfederation.
  • Policy: Have an agreement defining federation membership between the Federation and its members (typically known as a Federation Policy). 

mandatory url


Joining checklist / old constitution (now removed)


Constitution

 

 

https://technical.edugain.org/status

What about document changes?

MRPS - part of SAML Profile and SAML participation checklist?

 

Part of Constitution / Joining checklist

Contacts

  • Establishing operational contact between a federation and the eduGAIN Operations Team is the necessary first step. Such a contact may also be necessary in the future, when resolving technical problems, security incidents etc.
  • eduGAIN is governed by the Steering Group. Each partcipating federation must delegate two members - a delegate and a deputy. Please send names and e-mail addresses to the Operations Team.
mandatory email

 

Joining Checklist

 

Joining Checklist / Constitution.

 

 

https://technical.edugain.org/status

....but we don't necessarily regularly check that contacts are valid and up-to-date.

Delegates are part of Constitution / joining checklist. 

Make operational contact part of SAML profile?

Metadata Requirements

  • The metadata root element MUST contain validUntil attribute with a value not later than 28 days after the signature timestamp.
mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/ 
  • The metadata root element SHOULD contain <mdrpi:PublicationInfo>.  it MUST contain publisher it SHOULD contain one of the attributes creationInstant or publicationID.
semi-mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/ 
  • If the metadata root element contains cacheDuration attribute, its value SHOULD be between one hour and six hours. The MDS takes it as an advice on how long to cache it. The MDS Aggregation Practice Statement [MAPS] will describe the details.
semi-mandatory in an optional profileMetadata Profile.  MAPS does not exist.https://validator.edugain.org/ 
  • Each <md:EntityDescriptor> element MUST contain <mdrpi:RegistrationInfo> it MUST contain registrationAuthority with a value that has been registered with the eduGAIN OT it SHOULD contain registrationInstant <mdrpi:RegistrationPolicy>
mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/ 
  • Each <md:EntityDescriptor> element SHOULD contain <md:Organization> with values in English and as appropriate also values in the service's native languages for the elements <md:OrganizationName> <md:OrganizationDisplayName> <md:OrganizationURL> <md:ContactPerson> with contactType="technical" and/or contactType="support.   If present, <md:EmailAddress> SHOULD not be a personal address but a role address to get in contact with the entity's responsible persons.
semi-mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/

add scope extension and rules about this here?

NSR: I would recommend adding scope extension expectations in a requirement specfically related to IdP/AA entity descriptors.

  • If the <md:EntityDescriptor> contains one of these elements: <md:IDPSSODescriptor> <md:SPSSODescriptor> each one of them SHOULD contain the elements:
    • <mdui:DisplayName> with a value in English and as appropriate also values in the languages supported by the service.
    • <mdui:Description> with a value in English and as appropriate also values in the languages supported by the service.
semi-mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/  - but validator treats these as if mandatory 
  • Whenever a Service Provider needs attributes it should list them as <md:RequestedAttribute> in the <md:AttributeConsumingService> of its <md:SPSSODescriptor> element to increase the chance that Identity Providers really release them.
semi-mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/

Why are we giving Service Providers instructions in a document for FOs? This needs to be rewritten as instruction to FO.

 

+1

  • If a metadata producer aggregates metadata from multiple sources, the <mdrpi:PublicationPath> element SHOULD be used where appropriate.
semi-mandatory in an optional profileMetadata Profilehttps://validator.edugain.org/ 
SAML Deployment Profile
  • The only allowed SAML2.0 protocol profile to be used for Web Single Sign on in eduGAIN is saml2int
 optionalWebSSO profile.  Current issues with recommendations in SAML2int and old reference used in document.none - FedLab?

Does it make sense for eduGAIN to have an opinion on deployment profiles?

 

No, I don't think it does. I would remove any mention of saml2int. Instead, you may want to include a requirement in the eduGAIN SAML tech profile to use the OASIS SAML metadata specification for the exchange of SAML entity information.

Things that come up

  • Eligibility Statement
  • Scopes
  • Approach to republishing
  • Dealing with complaints
 Publishing and complaints mostly dealt with in declaration.  
  • No labels