2018 eduGAIN SAML Profile Consultation

In order to assure metadata integrity and originality, each federation aggregate MUST be signed as specified in [Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0]. This signature made with the key matching the one supplied to the eduGAIN OT is the only element on which trust is based. In particular the eduGAIN aggregator does not use trust that might be derived from an https endpoint details.

Metadata signature verification is done against the public key alone. If the public key for the channel is supplied in the form of an X.509 certificate, other aspects of the certificate such as its expiry date do not form part of signature verification. This is in accordance with the SAML metadata interoperability profile. In particular an expired certificate will still be used for the verification purpose.

Replace: "The organisation with which the end users are affiliated."
with: "The organisation with which an end user is affiliated."

Typo: SAML Profil  -> SAML Profile

1. The aim of this profile seems to be to improve interop among entities in different federations by means of definng common practices by fed ops and edugain ops. Interop issues can sometimes result from different filtering policies implemented by different federations when they consume edugain metadata. Examples include federation-specific standards for end point scheme (HTTP vs HTTPS) and minimum key length (1024 vs 2048+). Is this profile the right place at which to define eduGain-wide standards for such things? If so, is this the right time to consider doing so in these two instances?

2. Members of federations are advised by their federations' operators to check the signature of their federation metadata to verify its authenticity and integrity. Does eduGain do likewise in the process of aggregating member federations' metadata for redistribution? If not, should it, and if it does not but should, is this profile the right place in which to address that requirement?

 line 111 change SHOULD to MUST

RegistrationInstant and mdrpi:RegistrationPolicy are only OPTIONAL within the RPI spec so current proposal is consistent. This is because old entities will not have this data.

md:OrganizationDisplayName   can be advanced to a MUST.

Chris/CAF: No additions specific to key rollover but a request for improved operational state information on the technical.edugain.org website
No specifics to key rollover but it would be useful to have a way to render a time difference for publishing time on the eduGAIN OT website. 
Many federations exhibit latency on republishing stemming from operational practices and offline signing techniques. It would be helpful to know in a dashboard fashion the following:

• Last update of mds.edugain.org
• And per federation last known update of eduGAIN data and time difference since MDS publishing.

This will go a long way in managing expectations of when to expect data to circulate beyond '24-48hrs'. I suggest a simple table view of flag and age difference from MDS so we may know how far we all drift from each other republishing data from the eduGAIN MDS 'creation date'. While this could exist in the 'twisty list' for each federation,  one visual dashboard page of observed latency would be more helpful in this regard.

regex scopes should be permitted and eduGAIN should ensure scopes do not collide when accepting aggregates from Members (see longer notes)

There are few legitimate uses of regexp scopes that even UKf accepts. IMO it's a SHOULD. One should have no worries about the entity being silently discarded somewhere if it violates a SHOULD.

Actually the Scope element is only a subset of the issue of using internet domain names in metadata.

Domain names are significant (in terms of security):

* entityIDs

* endpoint URLs

* scopes

I'd suggest to include a more generic section about using domain names in metadata, and include the special requirement of Scope's not being a regexp here.

Chris Phillips

Kristof Bajnok

They MAY exist and should be strongly encouraged with 'SHOULD'.  'MUST' would be very hard to do but having 'SHOULD' will keep parity to these features across multiple technologies like OIDC and moonshot. See below for more on this.

• Recommended attributes and mapping across the given attribute profiles
• Vocabulary
• Unique identifier practices
• Entity categories (or mapping within given technology profile to exhibit it)
• Consistent application of scope within the technology profiles
• Security characteristics such as position on logout

Remove requirement for the element md:OrganizationURL to have values in English (xml:lang="en"): Some Organisations simply do not have English language web sites and it's beyond our control to mandate one. (Though arguably that falls under the kind of exception allowed by "SHOULD".)

Remove requirement/recommendation (and the matching check in the eduGAIN validator) for the element mdui:Description for entities of role IDP. (1) Often nothing useful can be put there (values like "IDP of Organisation Foo" are semantically void) and (2) I don't know of any software that makes use of that element.

The profile pulls in MetaIOP in the section on "Metadata Production": "Whatever is specified as a MUST in the SAML V2.0 Metadata Interoperability Profile should also be considered as REQUIRED within this eduGAIN Metadata Profile." But that's a rather tall order, because MetaIOP also days (lines 271-273): "Any <md:RoleDescriptor> element (or any derived element or type) appearing in the metadata instance MUST conform to this profile's requirements." But certain implementations are simply incapable or satisfying MetaIOP, such as MS-ADFS in some version(s), e.g. wrt use of expired keys, or the issue with one key not being able to be part of two EntityDescriptors, etc. So by joining eduGAIN as a Metadata Producer all now MUST support MetaIOP (which is of course a good thing, as that's the basis for our trust model), but that would actually prevent MS-ADFS and other lesser implementations from participating. (I.e., they wouldn't be allowed into a federation's upstream feed.)

References should be sorted alphabetically. Glossary could be further trimmed (but sometimes expanded for brevity, e.g. define "Metadata" to mean SAML 2.0 Metadata and only use "Metadata" in the rest of the doc, should save dozens of instances of "SAML Metadata").

The paragraph on lines 236-239 re-stating what MetaIOP says anyway for any metadata consumer (so definitively also applicable to the MDS) needs some work (or be replaced with text from MetaIOP).

Some parts don't make any sense currently (references to SAML namespaces, but without prefixes) and if those can be removed a good part of the Glossary and/or References section can be removed, too, since the terms or references will be unused throughout the rest of the document.

Remove information on<mdrpi:PublicationPath>

Chris / Peter

Line 251: suggestion: alter ‘SAML Metadata set’ to ‘SAML Metadata export set’ 

All entity information provided to eduGAIN is considered public information

I was looking into the Metadata Interoperability Profile. While the document refers to 2.0, it seems that it is a not really published draft. I think we should stick to the community specification 1.0, which is not at all different from 2.0. I wanted to provide some minimal corrections to the relevant paragraph, but it's still on my todo.

I vaguely remember a discussion about dropping the requirement of providing Organization elements in English. I don't remember the outcome, nor I fully understand the sentence "<md:Organization> with values in English other values in the service's native languages for the elements where appropriate." I feel to miss a conjunction between "English" and "other values".

Instead of the sentence about validUntil, I'd recommend the following amended paragraph: "A validUntil attribute with a value not later than 2304 hours (28 days) after the creationInstant. Under normal operation conditions the validUntil attribute SHOULD refer to a time not earlier than 72 hours (3 days) after creationInstant." (5->3!)

Federations MUST republish the eduGAIN SAML Metadata as a signed SAML Metadata feed to its members

Federations MUST provide their members with trustworthy SAML Metadata about eduGAIN Entities, signed with their own signing key.

Add a table that includes the namespace prefixes as per: http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.html#1_1__Notation

line 121 - line 123
(clean v4)

"In order to assure SAML Metadata integrity, each federation aggregate MUST be signed as specified in Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 [SAMLMeta]."

line 123 - 126 (clean v4)

"This signature, made with a key matching the one supplied to the eduGAIN OT, is the only element on which trust for SAML Metadata exchange is based within eduGAIN. In particular, the eduGAIN aggregator does not use trust that might be derived from an https endpoint."

line 128 - 131
(clean v4)

"SAML Metadata signature verification is against the public key alone. Commonly the public key for the channel is supplied in the form of an X.509 certificate, however aspects of the certificate such as its expiry date do not form part of signature verification. In particular an expired certificate will still be used for verification purposes."

Change to: "the eduGAIN MDS conforms to the rules for Metadata Consumer and Metadata Producers as stated in MetaIOP."

Add a reference to MAPS.

Line 133:

"The SAML Metadata signature MUST meet the following requirements"