DRAFTVersion 2020-04-22
This document specifies recommendations for upstream metadata produced by eduGAIN participants. Failure to comply with these recommendations will result in a warning produced by the eduGAIN metadata validator using the eduGAIN SAML profile v2.
The recommendations are organised as a set of rules which may be easily verified by the eduGAIN metadata validator.
The rules table below lists currently implemented validator warnings, those marked red are actually specification errors and should be upgraded to validator errors (to be discussed within the eduGAIN SG)
The significance column is meant for possible future use, i.e. grouping problems in order to solve the most important first. Proposed significance range is from 1 (least significant) to 5 (most significant). If found useful, this classification should be subject to a future discussion in the eduGAIN SG.
| Condition | Level | Significance | Reason |
---|
Global warnings |
---|
1 | Signing certificate expired | 1-global | 1 | Currently implemented as a validator warning. To be confirmed by the SG. |
Warnings on entity level | contact ContactPerson definition found but |
no contactType | 2-entity | 2 | SIRTFI specification error |
46 | SIRTFI attribute declared but no appropriate md:ContactPerson set | 2-entity | 2 | SIRTFI specification error |
568 | mdattr:EntityAttributes placed in md:Extensions element of SPSSODescriptor/IDPSSODescriptor, expected in md:Extensions element of md:EntityDescriptor | 2-entity | 1 | Since http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html does not define appearance of this element in places other then md:Extensions element of EntityDescriptor it is most likely that the condition is a result of a mistake. |
79 | 9 | mdrpi:RegistrationPolicy not found | 2-entity | 3 | eduGAIN SAML profile Section 3 |
8 | mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element | This violates http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html section 2.1 therefore should be an error |
mdattr:EntityAttributes element contains saml:AttributeValue with leading/trailing whitespaces |
10EntityAttributes element appears more than once within a given md:Extensions element Violates http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html section 2.3, therefore should be an error. | EntityAttributes element contains duplicated saml:Attribute / saml:AttributeValue declaration | 2-entity | ?? |
|
12 |
Warnings on entity’s role level | 11 not , no and mdui:Description presentnot present | 3-role | 3 | eduGAIN SAML profile Section 3 |
12 with mdui:DisplayName Description not presentLogo element | 3-role | 1 | eduGAIN SAML profile Section 3 |
1314 | mdui:UIInfo / mdui:DisplayName does not have English value | 3-role | ?? |
|
15 | mdui:UIInfo not found |
but not presentand mdui:Description present | 3-role (SP-only) | 3 | eduGAIN SAML profile Section 3 |
14 found but neither nor found but mdui:Description not present | 3-role (SP-only) | 3 | eduGAIN SAML profile Section 3 |
15 no mdui:Logo elementneither mdui:DisplayName nor mdui:Description present | 3-role (SP-only) | 3 | eduGAIN SAML profile Section 3 |
16 | this SP does not provide requested attribute specification | left from saml2int - should it be kept? |
18 | mdui:GeolocationHint value does not conform to coordinates specification [RFC5870] (missing longitude) | 3-role | 3 | RFC5870 |
19 |
17 | Data Protection Code of Conduct declared but no mdui:PrivacyStatementURL found | 3-role | 4 | Violates the CoCo spec |
18 | CoCo declared 20 | Data Protection Code of Conduct declared but md:RequestedAttribute element not found | 3-role | 4 | Violates the CoCo spec |
19 | CoCo declared but mdui:PrivacyStatementURL and md:RequestedAttribute elements not found | 21 | mdui:Logo content size is larger than 40000 and smaller than 50000 characters | 3-role |
| Decided by eduGAIN SG |
22 | mdui:Logo content size is 50000 or more characters | 3-role |
| Decided by eduGAIN SG |
23 | R&S Category declared but the SP does not provide required mdui:DisplayName | 3-role | 4 | R&S spec 4.3.3 |
24 | R&S Category declared but the SP does not provide required mdui:InformationURL | 3-role (SP only) | 4 | R&S spec 4.3.3 |
25 | R&S Category declared but the SP does not provide the required Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST in md:AssertionConsumerService | 3-role (SP only) | 4 | R&S spec 4.3.1 |
26 | R&S Category declared but the SP does not provide any technical contact | 2-entity | 4 | R&S spec 4.3.4 |
27 | Some entities do not have an encryption certificate | 1-global |
|
|
28 | SP has a wrong signing certificate | 3-role (SP-only) |
|
|
29 | SP has no encryption certificate | 3-role (SP-only) |
Violates the CoCo spec