Versions Compared

Old Version 2

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 3

changes.mady.by.user Maja Górecka-Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document is in the process of conversion form v1 and is in draft form

Table of Contents
outlinetrue

Introduction

The main function of eduGAIN is to act as a trusted exchange service of information required for interfederation to work. This document describes the methods used to facilitate interfederation based on SAML and must be seen as an addition to the eduGAIN SAML Profile document [eduGAIN-Profile].

...

MDS bases its aggregation function of on information provided by each participant Federation as specified in [eduGAIN-Profile]:

  • A a federation metadata channel,

  • An an RSA / EC public key with which the metadata metadata feed document will be signed. This will normally be made available in the form of an X.509 certificate.,

  • The the registrationAuthority attribute value to be associated with the federation metadata feed.

This information needs to be registered with eduGAIN OT in a trust preserving way as described in [eduGAIN-OPS].

...

After a successful verification (as described further down), each federation metadata feed is saved locally for possible future use.

If a saved federation metadata feed copy exists and it also follows from the Conditional GET Request that the feed has not changed, the saved copy is being used for further processing.

...


condition evaluated

reason

S1

The signature exists and is valid

eduGAIN-profile section 4

S2

The signature can be validated with the public key configured for the federation metadata channel

eduGAIN-profile section 4

S3The signature was made using an explicit ID reference, not an empty referenceeduGAIN-profile section 4
S4The signature reference refers to the document element eduGAIN-profile section 4
S5

The signature's digest algorithm is at least as strong as SHA-256, and does not use MD5
or SHA-1

eduGAIN-profile section 4
S6

The signature's signature method is RSA with an associated digest at least as strong as
SHA-256 and does not use MD5 or SHA-1

eduGAIN-profile section 4
S7

The signature's transforms contain only these permissible values:

  • Enveloped signature.
  • Exclusive canonicalisation with or without comments.
eduGAIN-profile section 4

...


Condition Evaluated

Reason

A1

the document root element is md:EntitiesDescriptor


A2

all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds.


A3

if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher and creationInstant attributes exist


A4the creationInstant attribute uses the dateTime format required by SAMLMeta and does not point to the futureSAMLMeta sec. 2.2.1

A5

validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past

SAML lines: 348; 316

A6

validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant

eduGAIN-profile

A7

the fetched document schema-validates against following SAML metadata schemas:


...