Versions Compared

Old Version 1

changes.mady.by.user Michael Schmidt

Saved on

compared with

New Version Current

changes.mady.by.user Licia Florio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page presents the requirements from the reference specification fulfilled by the GÉANT IdPaaS implementationGEANT IdPaaS proof of concept. The page can be used as a reference for those that plan to build an IdP PaaS solution. Please note that this work informed the IdP PaaS Reference Design documentation.

Content:

Table of Contents

...

IDRequirementDescriptionsamlidp.io
IC1Accept user inputThe platform MUST accept user input for IdP configuration for all values defined as configurable in section IdP requirements

Status
colourGreen
titleDone
Status
title
colourRed
Missing

IC2Unique entity IDA new entity ID MUST NOT already exist in eduGAIN, nor in any national federation

Status
colourGreen
titleDone

IC3Non-reusable entity IDA new entity ID MUST NOT be equal to one issued previously by this platform

Status
colourGreen
titleDone

IdP Deletion [ID]

The platform must provide a function to delete an existing IdP to delete a formerly created IdP entirely.

IDRequirementDescriptionsamlidp.io
ID1Complete deletion

It MUST be possible to delete an IdP and non-technical data upon request. This includes at least:

  • Any related user data
  • Personal log data

Status
colourGreen
titleDone

ID2Delayed deletionOnce deletion is triggered the IdP MUST be deactivated, but MUST NOT be deleted for a retention period of three months.

Status
colourGreen
titleDone

ID3Delete notificationThe administrator and technical contacts of an IdP MUST be notified immediately once deletion is requested.

Status
colourRed
titleMissing

ID4IdP recoveryThe administrator MUST be able to recover and reactivate an IdP within the retention period.

Status
colourRed
titleMissing

IdP Management [IM]

The platform must provide a function to alter the configuration of an existing IdP without loss of user data.

IDRequirementDescriptionsamlidp.io
IM1Edit configurationAdministrators MUST be able to change the IdP configuration for all values defined as configurable in section IdP requirements

Status
colourGreen
titleDone

SP Management [SM]

IDRequirementDescriptionsamlidp.io
SP1Add and configure SPsIt MUST be possible to configure entities to be read from metadata

Status
colourGreen
titleDone

SP2Attribute release policy

There MUST be an option to configure attributes released for

  • all service providers
  • an specific service provider

Status
colourGreen
titleDone

User Management [UM]

IDRequirementDescriptionsamlidp.io
UM1Local user managementThe solution MUST include a local user management to create, update and delete identities.

Status
colourGreen
titleDone

UM2Remote user managementThe solution MUST be capable to use identities from an existing user database at a remote location.

Status
colourGreen
titleDone

Authentication & Authorization [AA]

IDRequirementDescriptionsamlidp.io
AA12FA authenticationThe access to the management interface MUST require at least a second factor.

Status
colourRed
titleMissing

AA2Account recoveryThe software SHOULD NOT offer a self service to recover administrative accounts.

Status
colourGreen
titleDone

Software Deployment [SD]

IDRequirementDescriptionsamlidp.io
SD1Operational documentationThe deployment MUST be sufficiently documented so that it can be performed easily and independently.

Status
colourGreen
titleDone

SD2Automatic deploymentDeploying the software itself SHOULD be automated.

Status
colourGreen
titleDone

IdP requirements

The following requirements apply to the hosted IdP itself.

...

IDRequirementDescriptionConfigurablesamlidp.io
AU1Handle SAML authenticationThe IdP MUST be able to handle SAML2 authenticationNo

Status
colourGreen
titleDone

AU2Common standardsIdP MUST adhere to saml2int, and relevant eduGAIN profilesNo

Status
colourGreen
titleDone

AU3No SAML1IdP MUST NOT be able to handle SAML1 authenticationNo

Status
colourGreen
titleDone

AU4Identifier support

The IdP MUST support the following identifier types:

  • persistent nameid
  • transient nameid
  • ePPN
  • ePTID
  • subject ID
No

Status
colourGreen
titleDone

AU5eduPerson support

The IdP MUST support the following eduPerson attributes:

  • DisplayName
  • Email
  • CN
  • SN
  • Name
  • edupersonScopedAffiliation
  • edupersonEntitlement
No

Status
colourGreen
titleDone

AU6SCHAC support

The IdP MUST support the following SCHAC attributes:

  • schacHomeOrganisation
No

Status
colourGreen
titleDone

AU7eduMember support

The IdP MUST support the following eduMember attributes:

  • IsMemberOf
No

Status
colourRed
titleMissing

AU8Force AuthnThe IdP MUST support SAML Force authenticationNo

Status
colourGreen
titleDone

AU9SSO session timeThe IdP MUST support SSO, session time must be configurableYes

Status
colourGreen
titleDone

AU10Authentication ContextThe IdP MUST support providing LoA information through Authentication Class Context refNo

Status
colourGreen
titleDone

Credential Handling [CH]

IDRequirementDescriptionConfigurablesamlidp.io
CH1Local Credential SourceThe IdP MUST allow for credentials to be provided locallyYes
CH2LDAPs credential storeThe IdP MUST allow for credentials to be provided remotely through LDAPs. This LDAP access MUST be read only, so no editing of remote LDAP data is possible.Yes

Status
colourGreen
titleDone

CH2
CH3
PasswordsThe IdP MUST support use of passwords for authenticationNo
CH4

Status
colourGreen
titleDone

CH3EncryptionAll locally stored and or cached personal data of end users MUST be  stored encrypted where the encryption key is the SHA256 over the password or tokenidNo

Status
colourGreen
titleDone

Attribute release [AR]

IDRequirementDescriptionConfigurablesamlidp.io
AR1R&E Entity categoriesThe IdP MUST be able to use commonly used categories like R&S and SIRTFI  to be used as filter for attribute release policyYes

Status
colourGreen
titleDone

AR2SP metadata attributesThe product MUST support release of attributes based on SP metadata requirementsYes

Status
colourGreen
titleDone

AR3

Per SP attributesThe product MUST support release of attributes based on per SP basis (configured manually)Yes

Status
colourGreen
titleDone

AR4Attribute value filteringThe product MAY support filtering of attribute values (e.g. for affiliation) on a per SP basisNo

Status
colourRed
titleMissing

User management [UM]

IDRequirementDescriptionConfigurablesamlidp.io
UM1Local GUIA local per customer GUI MUST be provided to manage users in the local user store if so configuredYes

Status
colourGreen
titleDone

UM2Local GUI AuthNAuthentication for the a local GUI MUST NOT use any of the IdPs on the platformNo

Status
colourGreen
titleDone

UM3Local Password resetA password reset function MUST be provided for users based on the email stored in the local storeYes

Status
colourGreen
titleDone

Metadata publishing [MP]

IDRequirementDescriptionConfigurablesamlidp.io
MP1Publish SAML metadataThe product MUST publish SAML metadata for the entityNo

Status
colourGreen
titleDone

MP2R&E Entity categories

The product MUST allow publishing of specific entity categories:

  • R&S
  • SIRTFI
Yes

Status
colourGreen
titleDone

Metadata consumption [MC]

IDRequirementDescriptionConfigurablesamlidp.io
MC1Consume entity XML metadataThe product MUST allow importing an entity XMLYes

Status
colourGreen
titleDone

MC2Consume entity metadata through URLThe product MUST allow importing URL based metadataYes

Status
colourGreen
titleDone

MC3Consume entities metadata through MDQThe IdP MUST be able to consume metadata via MDQYes

Status
colourGreen
titleDone

Logging [LO]

IDRequirementDescriptionConfigurablesamlidp.io
LO1Transaction loggingThe product MUST support logging authN transaction in a separate logNo

Status
colourGreen
titleDone

LO2Error loggingThe product MUST support logging errors in a separate logYes

Status
colourGreen
titleDone

LO3Log persistenceLogs MUST be deleted automatically after a given time. Time must be configured on a per log basis. No

Status
colourGreen
titleDone

LO4Log retrievalLogs MUST be downloadable by an appropriate adminNo

Status
colourRed
titleMissing

LO5Secure logsPlatform admin
does not
MUST NOT have access to user dataNo

Status
colourGreen
titleDone

Statistics [ST]

IDRequirementDescriptionConfigurablesamlidp.io
ST1Per SP transactionsThe IdP MUST provide transactions per SP over a given period of time (day/month/week/year) No

Status
colourRed
titleMissing

ST2Transaction AggregatesThe IdP must provide aggregated transactions over a given period (day/month/week/year)No

Status
colourRed
titleMissing

ST3Fticks readyProduct SHOULD preconfigure IdP with Fticks supportYes

Status
colourRed
titleMissing

Branding and contact data [BC]

IDRequirementDescriptionConfigurablesamlidp.io
BC1IdP displaynameIdP MUST have a multi language displaynameYes

Status
colourGreen
titleDone

BC2LogoIdP MUST have a logoYes

Status
colourGreen
titleDone

BC3Admin contactIdP MUST have an administrative contactYes

Status
colourGreen
titleDone

BC4Tech contactIdP MUST have an technical contactYes

Status
colourGreen
titleDone

BC5Support contactIdP MUST have an end user support contactYes

Status
colourGreen
titleDone

BC6Security contactIdP MAY have a security support contactYes

Status
colourGreen
titleDone