Page History

...

MDS bases its aggregation function of on information provided by each participant Federation as specified in [eduGAIN-Profile]:

...

The signature was made using an explicit ID reference, not an empty reference.
The signature reference refers to the document element (this helps to avoid "wrapping attacks").
The digest algorithm is at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature method is RSA with an associated digest at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature's transforms contain only permissible values:
Enveloped signature

Exclusive canonicalisation with or without comments

Verification of metadata validity

...

	Condition Evaluated	Reason
A1	the document element is md:EntitiesDescriptor
A2	all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds.
A3	if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher attribute is given
A4	validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past	SAML lines: 348; 316
A5	validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstantis not later than 28 days compared to the download moment	eduGAIN-profile
A6	the fetched document schema-validates against following SAML metadata schemas: saml-schema-metadata-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:metadata saml-schema-assertion-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:assertion saml-metadata-rpi-v1.0-csd01.xsd - namespace urn:oasis:names:tc:SAML:metadata:rpi shibboleth-metadata-1.0.xsd - namespace urn:mace:shibboleth:metadata:1.0 sstc-metadata-attr.xsd - namespace sstc-saml-metadata-ui-v1.0.xsd - namespace urn:oasis:names:tc:SAML:metadata:ui sstc-saml-idp-discovery.xsd - namespace urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol sstc-saml-metadata-algsupport.xsd - namespace urn:oasis:names:tc:SAML:metadata:algsupport xml.xsd - namespace http://www.w3.org/XML/1998/namespace xmldsig-core-schema.xsd - namespace http://www.w3.org/2000/09/xmldsig# xenc-schema.xsd - namespace http://www.w3.org/2001/04/xmlenc# ws-addr.xsd - namespace http://www.w3.org/2005/08/addressing ws-securitypolicy-1.2.xsd - namespace http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 ws-authorization.xsd - namespace http://docs.oasis-open.org/wsfed/authorization/200706 ws-federation.xsd - namespace http://docs.oasis-open.org/wsfed/federation/200706 MetadataExchange.xsd - namespace http://schemas.xmlsoap.org/ws/2004/09/mex oasis-200401-wss-wssecurity-utility-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd oasis-200401-wss-wssecurity-secext-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

...

Page tree

Versions Compared

Old Version 38

New Version 39

Key

Verification of metadata validity