Page History

This document is still in its draft form, any comments welcomein the process of conversion form v1 and is in draft form

Table of Contents
outline true
Introduction

...

signature RSA key size is at least 2048-bit

	condition evaluated	reason
S1	The signature exists and is valid	eduGAIN-profile section 4
S2	The signature can be validated with the public key configured for the federation metadata channel	eduGAIN-profile section 4
S3	The	eduGAIN-profile

...

signature

...

was made using an explicit ID reference, not an empty reference

...

	eduGAIN-profile section 4
S4	The signature reference refers to the document

...

element	eduGAIN-profile section 4
S5	The signature's

...

digest algorithm is at least as strong as SHA-256

...

,

...

and does not use MD5
or SHA-1

...

	eduGAIN-profile section 4
S6	The signature's signature method is RSA with an associated digest at least as strong as SHA-256

...

and does not use MD5 or SHA-1

eduGAIN-profile section 4

S7

The signature's transforms contain only these permissible values:

Enveloped signature.
Exclusive canonicalisation with or without comments.

eduGAIN-profile section 4

Verification of metadata validity

...

	Condition Evaluated	Reason
A1	the document element is md:EntitiesDescriptor
A2	all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds.
A3	if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher attribute is givenand creationInstant attributes exist
A4	the creationInstant attribute uses the dateTime format required by SAMLMeta and does not point to the future	SAMLMeta sec. 2.2.1
A5A4	validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past	SAML lines: 348; 316
A5A6	validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant	eduGAIN-profile
A6A7	the fetched document schema-validates against following SAML metadata schemas: saml-schema-metadata-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:metadata saml-schema-assertion-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:assertion saml-metadata-rpi-v1.0-csd01.xsd - namespace urn:oasis:names:tc:SAML:metadata:rpi shibboleth-metadata-1.0.xsd - namespace urn:mace:shibboleth:metadata:1.0 sstc-metadata-attr.xsd - namespace sstc-saml-metadata-ui-v1.0.xsd - namespace urn:oasis:names:tc:SAML:metadata:ui sstc-saml-idp-discovery.xsd - namespace urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol sstc-saml-metadata-algsupport.xsd - namespace urn:oasis:names:tc:SAML:metadata:algsupport xml.xsd - namespace http://www.w3.org/XML/1998/namespace xmldsig-core-schema.xsd - namespace http://www.w3.org/2000/09/xmldsig# xenc-schema.xsd - namespace http://www.w3.org/2001/04/xmlenc# ws-addr.xsd - namespace http://www.w3.org/2005/08/addressing ws-securitypolicy-1.2.xsd - namespace http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 ws-authorization.xsd - namespace http://docs.oasis-open.org/wsfed/authorization/200706 ws-federation.xsd - namespace http://docs.oasis-open.org/wsfed/federation/200706 MetadataExchange.xsd - namespace http://schemas.xmlsoap.org/ws/2004/09/mex oasis-200401-wss-wssecurity-utility-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd oasis-200401-wss-wssecurity-secext-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

...

Page tree

Versions Compared

Old Version 1

New Version 2

Key

Table of Contents
outline true
Introduction

Verification of metadata validity

Page tree

Page History

Versions Compared

Old Version 1

New Version 2

Key

Table of ContentsoutlinetrueIntroduction

Verification of metadata validity

Table of Contents
outline true
Introduction