Page History

...

	Condition Evaluated	Reason
A1	the document root element is md:EntitiesDescriptor	[SAMLMeta] sec. 2.3
A2	all required namespaces are declared, that is md, mdrpi, mdui, shibmd	[eduGAIN-profile] sec. 1.3
A3	md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher and creationInstant attributes exist	[eduGAIN-Profile] sec. 3
A4	the creationInstant attribute uses the dateTime format required by SAMLMeta and does not point to the future	[MDRPI] sec. 2.2.1
A5	validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past	[SAML] lines: 348; 316
A6	validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant	[eduGAIN-profile] sec. 3
A7	the fetched document schema-validates against following SAML metadata schemas: saml-schema-metadata-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:metadata saml-schema-assertion-2.0.xsd - namespace urn:oasis:names:tc:SAML:2.0:assertion saml-metadata-rpi-v1.0.xsd - namespace urn:oasis:names:tc:SAML:metadata:rpi shibboleth-metadata-1.0.xsd - namespace urn:mace:shibboleth:metadata:1.0 sstc-metadata-attr.xsd - namespace urn:oasis:names:tc:SAML:metadata:attribute namespace sstc-saml-metadata-ui-v1.0.xsd - namespace urn:oasis:names:tc:SAML:metadata:ui sstc-saml-idp-discovery.xsd - namespace urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol sstc-saml-metadata-algsupport-v1.0.xsd - namespace urn:oasis:names:tc:SAML:metadata:algsupport xml.xsd - namespace http://www.w3.org/XML/1998/namespacexmldsig-core-schema.xsd - namespace (Shibboleth MDA uses version from 2001 http://www.w3.org/2000/09/xmldsig#xenc-schema.xsd - namespace 2001/xml.xsd, pyFF uses version from 2009 http://www.w3.org/20012009/04/xmlenc#01/xml.xsd which defines xs:lang as union ("The union allows for the 'un-declaration' of xml:lang with the empty string.") xmldsig-core-schemaws-addr.xsd - namespace http://www.w3.org/20052000/0809/addressingxmldsig# ws-securitypolicy-1.2xenc-schema.xsd - namespace http://docswww.oasis-openw3.org/2001/04/xmlenc# ws-addr.xsd - namespace http://www.w3.org/2005/08/addressing ws-securitypolicy-1.2.xsd - namespace http://docs.oasis-open.org/ws-ws-sx/ws-securitypolicy/200702 ws-authorization.xsd - namespace http://docs.oasis-open.org/wsfed/authorization/200706 ws-federation.xsd - namespace http://docs.oasis-open.org/wsfed/federation/200706 MetadataExchange.xsd - namespace http://schemas.xmlsoap.org/ws/2004/09/mex oasis-200401-wss-wssecurity-utility-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd oasis-200401-wss-wssecurity-secext-1.0.xsd - namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	list of schemas from Shibboleth Metadata Aggregator configuration and pyFF sources

For each md:EntityDescriptor element the following verification is performed:

...

a federation metadata feed is unavailable (the corresponding federation feed channel is not responding)
a federation metadata feed does not validate correctly

an alert is raised and delivered to the Operational Team. An error status is set on the eduGAIN status page https://technical.edugain.org/status and the cause of the error is displayed in the details section. The remaining cache time is also displayed. The status is also available through the eduGAIN access API, as described on: https://technical.edugain.org/monitoring. If the error condition persists reminder messages are sent in the intervals of 6 hours. If the federation metadata feed can be accessed/validated again, a recovery message is delivered to the eduGAIN OT.

During every aggregation run the validUntil timer for each of the federation metadata feeds is performed.

...

. Detailed description of alert procedures is provided on the alerts page.

Detailed technical description

...

Page tree

Versions Compared

Old Version 35

New Version Current

Key

Detailed technical description