Versions Compared

Old Version 21

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 30

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document specifies recommendations for upstream metadata produced by eduGAIN participants. Failure to comply with these recommendations will result in a warning produced by the eduGAIN metadata validator using the eduGAIN SAML profile v2.

The recommendations are organised as a set of rules which may be easily verified by the eduGAIN metadata validator.

The rules table below lists currently implemented validator warnings, those marked red are actually specification errors and should be upgraded to validator errors (to be discussed within the eduGAIN SG)


ConditionLevelSignificanceReason
Global warnings
1

Signing certificate expired

1-global1Currently implemented as a validator warning. To be confirmed by the SG.

Warnings on entity level

2md:EmailAddress in md:ContactPerson element should start with mailto: prefix2-entity4This violates line 495 of https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf and should be considered an error!
3

SIRTFI attribute present and security contact found but no http://refeds.org/metadata/contactType/security contactType

2-entity2SIRTFI specification error
4

SIRTFI attribute declared but no appropriate md:ContactPerson set

2-entity2SIRTFI specification error
5

shibmd:Scope with no regexp attribute

2-entity5https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0 recommendation
6

mdattr:EntityAttributes placed in md:Extensions element of SPSSODescriptor/IDPSSODescriptor, expected in  md:Extensions element of EntityDescriptor

2-entity1Since http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html does not define appearance of this element in places other then md:Extensions element of EntityDescriptor it is most likely that the condition is a result of a mistake.
7

mdrpi:RegistrationPolicy not found

2-entity3eduGAIN SAML profile Section 3
8

mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element

This violates http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html section 2.1 therefore should be an error9

mdattr:EntityAttributes element contains saml:AttributeValue with leading/trailing whitespaces

10

mdattr:EntityAttributes element appears more than once within a given md:Extensions element 

Violates http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html section 2.3, therefore should be an error.

Warnings on entity’s role level

2-entity3
9mdui:UIInfo found but mdui:DisplayName not present3-role3eduGAIN SAML profile Section 3
10mdui:UIInfo found but no mdui:Logo element3-role1eduGAIN SAML profile Section 3
11for SP:
11
mdui:UIInfo not found, no mdui:DisplayName and mdui:Description present3-role3eduGAIN SAML profile Section 3
12for SP: mdui:UIInfo with mdui:DisplayName found but mdui:Description not present
eduGAIN SAML profile Section
3-role
13mdui:UIInfo found but mdui:DisplayName not present
3eduGAIN SAML profile Section 3
14
13for SP: mdui:UIInfo found but neither mdui:DisplayName nor mdui:Description present
eduGAIN SAML profile Section
3
15
-role3
mdui:UIInfo found but no mdui:Logo element
eduGAIN SAML profile Section 3
16
14this SP does not provide requested attribute specification3-role1left from saml2int - should it be kept?
17
15Data Protection Code of Conduct declared but no mdui:PrivacyStatementURL found3-role4Violates the CoCo spec
18
16CoCo declared but md:RequestedAttribute element not found3-role4Violates the CoCo spec
19
17CoCo declared but mdui:PrivacyStatementURL and md:RequestedAttribute elements not found3-role4Violates the CoCo spec