Entity category checks

Entity Category: - https://refeds.org/category/code-of-conduct/v2
 

5.1 mdui Requirements

5.1.1. SPs MUST provide at least one mdui:PrivacyStatementURL value. The PrivacyStatementURL MUST resolve to a Privacy Notice which is available to browser users without requiring authentication of any kind.

CHECK:

  • assess that metadata contains at least mdui:PrivacyStatementURL with xml:lang=”en” value.
  • assess HTTP Status code 200 on the value of mdui:PrivacyStatementURL with xml:lang=”en” value.

5.1.2 SPs MUSTs provide at least one mdui:DisplayName value.

CHECK:

  • assess that metadata contains at least one mdui:DisplayName with xml:lang=”en” value and that it is not empty.

5.1.3 SPs MUST provide at least one mdui:Description value. It is RECOMMENDED that the length of the description is no longer than 140 characters.

CHECK:

  • assess that metadata contains at least one mdui:Description with xml:lang=”en” value..
  • assess that mdui:Description with xml:lang=”en” value is less than 140 characters:
    • issue a warning if it is more than  140 characters.

5.1.4 For all mdui elements, at least an English version of the element MUST be available, indicated by an xml:lang=”en” attribute.

CHECK:

  • see above checks.

5.2 Attribute Requirements

5.2.1. If the SP is using SAML Subject Identifier Attribute Profile for identifier attribute release, it MUST provide subject-id:req entity attribute extension to indicate which one of the identifiers pairwise-id or subject-id is necessary.

CHECK:

  • assess that metadata contains the element saml:Attribute Name as:

<saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req">

with value:

          <saml:AttributeValue>pairwise-id</saml:AttributeValue>

or:

          <saml:AttributeValue>subject-id</saml:AttributeValue>


5.2.2. If the SP is requesting other attributes than the identifiers above, it MUST provide RequestedAttribute elements describing the attributes relevant for the SP. The RequestedAttribute elements MUST include the optional isRequired=”true” to indicate that the attribute is necessary.

CHECK:

  • assess that if RequestedAttribute elements are present they also contain the attribute isRequired=”true”

6.   Deployment Guidance for Service Providers


SPs to be checked for compliance have the following EntityAttribute:

<EntityAttributes xmlns="urn:oasis:names:tc:SAML:metadata:attribute">
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://macedir.org/entity-category">
<AttributeValue>https://refeds.org/category/code-of-conduct/v2</AttributeValue>
</Attribute>
</EntityAttributes>


Additional checks

SIRTFI Check

REFEDS Data Protection Code of Conduct: https://refeds.org/wp-content/uploads/2022/05/REFEDS-CoCo-Best-Practicev2.pdf


G. Security Measures

The Service Provider Organisation warrants taking appropriate technical

and organisational measures to safeguard Attributes against accidental or

unlawful destruction or accidental loss, alteration, unauthorised disclosure

or access. These measures shall ensure a level of security appropriate to

the risks represented by the processing and the nature of the data to be

protected, having regard to the state of the art and the cost of their

implementation.

The Service Provider Organisation shall implement the security

measures described in the Security Incident Response Trust Framework for

Federated Identity (Sirtfi) and signal it to the Identity Provider.


CHECK 1:

  • assess that the metadata contains the Sirtfi EntityAttribute as follows:

OPTION1 (both Sirtfiv1 and V2):

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi2
</saml:AttributeValue>
<saml:AttributeValue>https://refeds.org/sirtfi
</saml:AttributeValue>
</saml:Attribute>

OPTION 2 (Sirtfiv1)

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi
</saml:AttributeValue>
</saml:Attribute>


OPTION 2 (Sirtfiv2)

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi2
</saml:AttributeValue>
</saml:Attribute>

CHECK 2: 

  • assess that the metadata contains the Sirtfi security contact with value:

    <md:ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">

      <md:EmailAddress>mailto:<EMAIL_ADDRESS></md:EmailAddress>
    </md:ContactPerson>



References

[CoCov2]

https://refeds.org/category/code-of-conduct/v2

[CoCov2-SP-BP]

https://refeds.org/wp-content/uploads/2022/05/REFEDS-CoCo-Best-Practicev2.pdf

[CoCov2-HomeOrg]

https://wiki.refeds.org/display/CODE/Good+practice+for+Home+organisations




  • No labels