Versions Compared

Old Version 25

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 26

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Condition Evaluated

Reason

E1

entityID attribute value has no space characters, starts with http:// or https:// or urn: and must be unique within given feed

[SAMLmeta], [SAML] 1.3.2

E2

md:Extensions element with mdrpi:RegistrationInfo is defined and registrationAuthority attribute matches the value registered with the eduGAIN OT for a given federation

[eduGAIN-profile] sec. 3

E3

if within md:ContactPerson element any of the following elements is declared: GivenName, Surname, EmailAddress, TelephoneNumber - its values must not be empty

[SAMLmeta],

 [SAML] 1.3.1

E4md:OrganizationDisplayName, md:OrganizationName, md:OrganizationURL elements are not empty SAMLMeta 2.3.2.1, SAML 1.3.1 i 1.3.2[eduGAIN-profile] sec. 3

E5

if md:Organization element is declared with md:OrganizationDisplayName and/or md:OrganizationName and/or md:OrganizationURL elements then values of these elements must not be empty

[SAMLmeta],

[SAML] 1.3.2,

 [SAML] 1.3.1

E6md:ContactPerson exists with technical or support contactType[eduGAIN-profile] sec. 3
E7md:EmailAddress in md:ContactPerson element must start with mailto: prefix - not impmemented as error yet[SAMLmeta] sec. 2.3.2.2, line 495
E8mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element[MDRPI] sec. 2.1
E9mdattr:EntityAttributes element appears more than once within a given md:Extensions element [MEEA] sec 2.3


For each role descriptor element declared under md:EntityDescriptor the following verification is performed:


Condition Evaluated

Reason

R1

md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate)


R2

if md:Extentions element with md:UIInfo exists:

  • mdui:Keywords, mdui:DisplayName, mdui:Description elements if declared must not be empty

  • mdui:Logo element if is declared must have a value starting with one of: http://, https:// or data:image

  • mdui:PrivacyStatementURL element if declared must have value starting with http:// or https://

[MDUI] sec. 2.1, [SAML] sec.1.3.1, [SAML] sec.1.3.2

R3

if md:Extentions element with md:DiscoHints exist:

  • mdui:IPHint, mdui:DomainHint, mdui:GeolocationHint elements if declared must not be empty

  • mdui:GeolocationHint element if declared must not be empty and must start with geo: prefix

[MDUI] sec.2.2, [SAML] sec.1.3.1, [SAML] sec .1.3.2, RFC5870 (for geo)
R4md:ServiceName element within md:AttributeConsumingService is not emptySAMLMeta 2.4.4.1, SAML 1.3.1
R5md:AssertionConsumerService element Binding attribute does not contain urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect[SAMLProf] sec. 4.1.2 line 424
R6

md:DiscoveryResponse element Binding attribute contains the value
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol

[IdPDisco] sec.2.5
R7indexes in md:DiscoveryResponse, md:AssertionConsumerService, md:AttributeConsuminService are unique[SAMLMeta] sec.2.2.3

...

[MDUI] http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.html

[MEEA] http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html

[IdPDisco] http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf

...

[SAMLMetaIoP] https://www.oasis-open.org/committees/download.php/36645/draft-sstc-metadata-iop-2.0-01.pdf

[eduGAIN-Profile] https://github.com/REFEDS/SAML-Profile/blob/master/edugain-saml-profile.md

...