Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


federation metadata feedA SAML metadata file originating from a participant federation Federation acting as a SAMLMetadataProducer
federation metadata channelA location (in the form of http/https URL) pointing to the distribution source of the federation metadata feed
eduGAIN matadata aggregateA SAML metadata file obtained produced or generated ? as an aggregate of federation metadata feeds according to the procedures described in this document


  • a federation metadata channel;

  • an RSA/EC public key with which the metadata metadata feed document will be signed; this will normally be made available in the form of an X.509 certificate;

  • the registrationAuthority attribute value to be associated with the federation metadata feed.


As specified by the [eduGAIN-Profile] in order to assure metadata integrity and originality, each federation metadata feed MUST be signed as specified in [SAMLMeta]. This signature made with the key matching the one supplied to the eduGAIN OT is the only element on which trust is based. In particular MDS does not use trust that might be derived from an https endpoint details. (the previous sentence sounds strange)

Metadata signature verification is done against the public key alone. If the public key for the federation metadata feed channel is supplied in the form of an X.509 certificate, other aspects of the certificate such as its expiry date do not form part of signature verification. This approach is borrowed from the SAML metadata interoperability profile (url?). In particular an expired certificate will still be used for the verification purpose.


(Some text is missing to introduce next table)

Condition evaluated



The signature exists and is valid

eduGAIN-profile] section 4


The signature can be validated with the public key configured for the federation metadata channel

[eduGAIN-profile] section 4

S3The signature was made using an explicit ID reference, not an empty reference[eduGAIN-profile] section 4
S4The signature reference refers to the document element [eduGAIN-profile] section 4

The signature's digest algorithm is at least as strong as SHA-256, and does not use MD5
or SHA-1

[eduGAIN-profile] section 4

The signature's signature method is RSA with an associated digest at least as strong as
SHA-256 and does not use MD5 or SHA-1

[eduGAIN-profile] section 4

The signature's transforms contain only these permissible values:

  • Enveloped signature.
  • Exclusive canonicalisation with or without comments.
[eduGAIN-profile] section 4
S8RSA/EC key used to sign metadata is at least 2048/256 bits in length[eduGAIN-profile] section 4


Condition Evaluated



md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate)


if md:Extentions element with md:UIInfo exists:

  • mdui:Keywords, mdui:DisplayName, mdui:Description elements if declared must not be empty

  • mdui:Logo element if is declared must have a value starting with one of: http://, https:// or data:image

  • mdui:PrivacyStatementURL element if declared must have value starting with http:// or https://

[MDUI] sec. 2.1, [SAML] sec.1.3.1, [SAML] sec.1.3.2


if md:Extentions element with md:DiscoHints exist:

  • mdui:IPHint, mdui:DomainHint, mdui:GeolocationHint elements if declared must not be empty

  • mdui:GeolocationHint element if declared must not be empty and must start with geo: prefix

[MDUI] sec.2.2, [SAML] sec.1.3.1, [SAML] 1.3.2, RFC5870 (for geo)
R4md:ServiceName element within md:AttributeConsumingService is not emptySAMLMeta, SAML 1.3.1
R5md:AssertionConsumerService element Binding attribute does not contain urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect[SAMLProf] sec. 4.1.2 line 424

md:DiscoveryResponse element Binding attributes does not contain

[IdPDisco] sec.2.5
R7indexes in md:DiscoveryResponse, md:AssertionConsumerService, md:AttributeConsuminService are unique[SAMLMeta] sec.2.2.3