Versions Compared

Old Version 29

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 30

changes.mady.by.user Lukas Haemmerle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Typos and formatting. For the rest see email

...

The main function of eduGAIN is to act as a trusted exchange service of information required for interfederation to work. This document describes the methods used to facilitate interfederation based on SAML and must be seen as an addition to the  eduGAIN eduGAIN SAML Profile document [eduGAIN-Profile].

...

The terms defined below are a required extension of the terminology defined in  in [eduGAIN-Profile]. The reader should consult both dictionaries for a complete picture.

...

If a saved federation metadata feed copy exists and it also follows from the Conditional GET Request that the feed has not changed, the saved copy is being used for further processing.

An A federation feed metadata channel which cannot deliver a document (fetched or from cache) that meets passes all of the required tests is regarded as empty.

...


condition evaluated

reason

S1

The signature exists and is valid

eduGAIN-profile

S2

The signature was made created with the private key associated to the public key configured for of the federation meadata channel

eduGAIN-profile

S3

The signature RSA key size  is is at least 2048-bit

eduGAIN-profile

...

In the verification process the following criteria of the XML signature are also considered. However, however at the moment they are not considered to be fatal errors. (some items on this list may be moved to the table above if eduGAIN policy makes them mandatory)

...

After a positive verification of integrity and originality (as decried in described in the previous section), the following validity verification steps are performed.

Verification of the document as a whole: 


condition evaluatedCondition Evaluated

reasonReason

A1

the document element is md:EntitiesDescriptor


A2

all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds.


A3

if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher attribute is given


A4

validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past

SAML lines: 348; 316

A5

validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant

eduGAIN-profile

A6

the fetched document schema-validates against following SAML metadata schemas:


...

For each md:EntityDescriptor element the following verification is performed:


condition evaluatedCondition Evaluated

reasonReason

E1

entityId entityID attribute value has no space characters,  starts starts with http:// or https:// or urn:  and and must be unique within given feed

SAMLmeta, ^anyURI

E2

md:Extensions element with mdrpi:RegistrationInfo is defined and registrationAuthority attribute matches the value registered with the eduGAIN OT  for for a given federation

eduGAIN-profile

E3

if within md:ContactPerson element  any any of the following elements is declared: GivenName, Surname, EmailAddress,  TelephoneNumber TelephoneNumber - its values must not be empty

SAMLmeta,

^string

E4

if md:Organization element is declared with md:OrganizationDisplayName and/or md:OrganizationName and/or md:OrganizationURL elements then values of these elements must not be empty

SAMLmeta,

^anyURI

^string




...

For each role descriptor element declared under md:EntityDescriptor the following verification is performed:


condition evaluatedCondition Evaluated

reasonReason

R1

md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate)


R2

if md:Extentions element with md:UIInfo exists:

  • mdui:Keywords, mdui:DisplayName, mdui:Description elements if  declared declared must not be  emptyempty

  • mdui:Logo element if is declared must have a value starting with one of: http://, https:// or data:image

  • mdui:PrivacyStatementURL element if declared  must must have  value value starting with http:// or https://


R3

if md:Extentions element with md:DiscoHints exist:

  • mdui:IPHint, mdui:DomainHint,  mduimdui:GeolocationHint elements if declared must not empty

  • mdui:GeolocationHint element if declared  must must not be empty and must start with geo: prefix


...

Federation metadata feeds are combined into a single collection - the eduGAIN metadata aggregate as described in detail later. If an md:EntityDescriptor/@entityID value appears in more than one federation metadata feed, the resulting collection will contain only one of the entities; the others will be discarded. MDS does not  attempt attempt to merge or otherwise combine the clashing entity descriptions. See the technical details for a description of the collision handling algorithm.

...

  • name is set to http://edugain.org

  • validUntil is set 96 hours into the future

  • cacheDuration is set to 6h

  • ID  is is based on the time of its generation and has the format “eduGAIN” followed by the complete UTC date/time value (YYYYMMDDThhmmssZ)

...

...

an alert is raised and delivered in the form of an e-mail to the Operational Team. An error status is set on the eduGAIN status page https://technical.edugain.org/status and the cause of the error is displayed in the details section. The remaining cache time is also displayed.  The The status is also available trough the eduGAIN access API, a as described on: https://technical.edugain.org/monitoring. If the error condition persists reminder messages are sent in the intervals of 6 hours. If the federation metadata feed can be accessed/validated again, a recovery message is mailed to the eduGAIN OT mailing list.

During every aggregation run the validUntil timer for each of the federation metadata feeds is performed.

...

  • all federations with the status “in production” are selected from the eduGAIN database

  • for each federation its metadata URL is used to access federation metadata feed

  • the metadata URL is contacted by presenting If-None-Match and If-Modified-Since header values from the last successful  metadata metadata fetching process (conditional GET support)

  • the response 304 means that metadata was not modified - in this case the latest saved copy is used in aggregation process

  • the response 200 means that a new metadata feed is available

    • the eduGAIN validator is run against any new metadata feed

    • any feed error generated by the eduGAIN validator triggers the appropriate report, the offending metadata is rejected and the last successful saved copy is used instead if it is still valid

    • any successfully checked metadata feed is saved  locallylocally

Metadata validation

Each freshly downloaded federation metadata feed is processed in order to verify integrity and originality and the adherence to all required standards and policy conditions.

...

All valid federation metadata feeds are passed to the aggregator in a sequence ordered according to the date when federations have started to supply data to eduGAIN upstream metadata. During aggregation the first occurrence of a given entityId entityID will be used in the resulting eduGAIN metadata aggregate, any of the following occurrences will be discarded.

...

Acknowledgment

This document borrow borrows heavily from Ian Young’s https://gist.github.com/iay/7486653

...