Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

DRAFTVersion 2020-04-22

This document specifies recommendations for upstream metadata produced by eduGAIN participants. Failure to comply with these recommendations will result . in a warning produced by the eduGAIN metadata validator using the eduGAIN SAML profile v2.

The table below lists currently implemented validator warnings, those recommendations are organised as a set of rules which may be easily verified by the eduGAIN metadata validator.

The rules marked red are actually specification errors and should be upgraded to validator errors (to be discussed within the eduGAIN SG)


The significance column is meant for possible future use, i.e. grouping problems in order to solve the most important first. Proposed significance range is from 1 (least significant) to 5 (most significant). If found useful, this classification should be subject to a future discussion in the eduGAIN SG.


Signing certificate expired

1-global1Currently implemented as a validator warning. To be confirmed by the SG.
Warnings on entity level
2md:EmailAddress in md:ContactPerson element should start with mailto: prefix2-entity4This violates line 495 of and should be considered an error!

SIRTFI attribute present and security


ContactPerson definition found but


contact type not



2-entity2SIRTFI specification error
assurance-certification entity attribute is defined,

SIRTFI attribute declared but no appropriate md:ContactPerson set

2-entity2SIRTFI specification error

shibmd:Scope with no regexp attribute

2-entity5 recommendation

mdattr:EntityAttributes placed in md:Extensions element of SPSSODescriptor/IDPSSODescriptor, expected in  md:Extensions element of md:EntityDescriptor

mdrpi:RegistrationPolicy not found

mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element

This violates
rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html section 2.1 therefore should be an error
attr.html does not define appearance of this element in places other then md:Extensions element of EntityDescriptor it is most likely that the condition is a result of a mistake.

mdrpi:RegistrationPolicy not found


eduGAIN SAML profile Section 3


mdattr:EntityAttributes element contains saml:AttributeValue with leading/trailing whitespaces



EntityAttributes element appears more than once within a given md:Extensions element 

Warnings on entity’s role level

mdui:PrivacyStatementURL does not start with http:// https://

Not a direct specification error, but probably should be considered as such?mdui:GeolocationHint should start with geo: prefixviolation of section 2.2.4 should be an error

EntityAttributes element contains duplicated saml:Attribute / saml:AttributeValue declaration

10mdui:UIInfo found but mdui:DisplayName not present3-role3eduGAIN SAML profile Section 3
11mdui:UIInfo found but no mdui:Logo element3-role1eduGAIN SAML profile Section 3
12mdui:UIInfo / mdui:DisplayName does not have English value3-role??
13mdui:UIInfo not found, no mdui:DisplayName and mdui:Description present3-role (SP-only)3eduGAIN SAML profile Section 3
14mdui:UIInfo with mdui:DisplayName found but mdui:Description not present
eduGAIN SAML profile Section 3mdui:UIInfo found but mdui:DisplayName not present
3-role (SP-only)3eduGAIN SAML profile Section 3
15mdui:UIInfo found but neither mdui:DisplayName nor mdui:Description present
eduGAIN SAML profile Section 3mdui:UIInfo found but no mdui:Logo element
3-role (SP-only)3eduGAIN SAML profile Section 3
this SP does not provide requested attribute specification
16Data Protection Code of Conduct declared but no mdui:PrivacyStatementURL found3-role4Violates the CoCo spec
CoCo declared

Data Protection Code of Conduct declared but md:RequestedAttribute element not found

3-role4Violates the CoCo spec
CoCo declared but


PrivacyStatementURL and md:RequestedAttribute elements not foundViolates the CoCo spec

Global warnings

Some SP does not provide requested attribute specification– chyba można pominąć, bo pojawiają się te warningi na poziomie role

md:EntitiesDescriptor element does not contain the ID attribute which should be used in signature’s ds:Reference  bez sensu bo przecież ID musi być z powodu reference w podpisie


Logo content size is larger than 40000 and smaller than 50000 characters

Decided by eduGAIN SG

mdui:Logo content size is 50000 or more characters

Decided by eduGAIN SG

R&S Category declared but the SP does not provide required mdui:DisplayName

3-role4R&S spec 4.3.3
21R&S Category declared but the SP does not provide required mdui:InformationURL3-role (SP only)4R&S spec 4.3.3

R&S Category declared but the SP does not provide the required Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST in md:AssertionConsumerService

3-role (SP only)4R&S spec 4.3.1

R&S Category declared but the SP does not provide any technical contact

2-entity4R&S spec 4.3.4

Some entities do not have an encryption certificate

Some SP entities do not have an encryption certificate



SP has a wrong signing certificate

3-role (SP-only)


SP has no encryption certificate

3-role (SP-only)