You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

List of things that we expect of SAML federations in eduGAIN.  I've left out the Attribute profile document for now as the plan is to scrap this and instead refer to processes for attribute release management (e.g. entity categories and more general recommendations) as a recommended best practice rather than giving a list of attributes.

WhatStatusCurrently described?Why?Validation Check

URL to your metadata and a signing certificate which enures that the metadata is genuine. Please send the URL to the Operations Team.

 

For signing its metadata metadata producer MUST use an RSA private key of at least 2048 bits.

mandatory

optional

Joining checklist


Metadata Profile

  
Provide a URL pointing to the main (English if exists) page of your Federation.mandatoryJoining checklist  
Provide a URL pointing to the English version of Metadata Registration practice statement for your federation. This document shall describe rules and procedures used for registering entities which get exposed to interfederation.mandatory urlJoining checklist / old constitution (now removed)  
The metadata root element MUST contain validUntil attribute with a value not later than 28 days after the signature timestamp. Metadata Profile  
The metadata root element SHOULD contain <mdrpi:PublicationInfo>.  it MUST contain publisher it SHOULD contain one of the attributes
creationInstant or publicationID.
 Metadata Profile  
If the metadata root element contains cacheDuration attribute, its value SHOULD be between one hour and six hours. The MDS takes it as an advice on how long to cache it. The MDS Aggregation Practice Statement [MAPS] will describe the details.
 Metadata Profile.  MAPS does not exist.  
Each <md:EntityDescriptor> element MUST contain <mdrpi:RegistrationInfo> it MUST contain registrationAuthority with a value that has been
registered with the eduGAIN OT it SHOULD contain registrationInstant <mdrpi:RegistrationPolicy>
    
Each <md:EntityDescriptor> element SHOULD contain <md:Organization> with values in English and as appropriate also values in the service's native languages for the elements <md:OrganizationName> <md:OrganizationDisplayName> <md:OrganizationURL> <md:ContactPerson> with contactType="technical" and/or contactType="support.   If present, <md:EmailAddress> SHOULD not be a personal address but a role address to get in contact with the entity's responsible persons.
    
If the <md:EntityDescriptor> contains one of these elements: <md:IDPSSODescriptor> <md:SPSSODescriptor> each one of them SHOULD
contain the elements:
<mdui:DisplayName> with a value in English and as appropriate also values in the languages supported by the service.
<mdui:Description> with a value in English and as appropriate also values in the languages supported by the service.
    
Whenever a Service Provider needs attributes it should list them as <md:RequestedAttribute> in the <md:AttributeConsumingService> of its <md:SPSSODescriptor> element to increase the chance that Identity Providers really release them.
    
If a metadata producer aggregates metadata from multiple sources, the <mdrpi:PublicationPath> element SHOULD be used where appropriate.
    
The only allowed SAML2.0 protocol profile to be used for Web Single Sign on in eduGAIN is saml2int optionalWebSSO profile.  Current issues with recommendations in SAML2int and old reference used in document.  
  • No labels