SAML attribute requirements
The SAML SP has 2 endpoint profiles:
- SP_NOID requires affiliation attributes but NO persistent Identifiers
- SP_ID requires affiliation attributes but a persistent Identifier
The following attributes are presented to the SP for the SP_ID profile:
| Attribute | Description | Required? |
|---|---|---|
| persistent SAML nameID | The SAML nameID. We request a persistent NameID | Required |
| eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) | The above SAML nameID presented in an attribute | Optional, unless eduPersonPrincipleName is provided |
eduPersonPrincipleName | The eduPersonPrincipleName (user@domain) | Optional, Only needed if IdP cannot provide eduPersonTargetedID, or if the NameID is not persistent. |
| eduPersonAffiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.1) | The persons affiliation with the home institution. Supported values:
| Required |
| schacHomeOrganization (urn:oid:1.3.6.1.4.1.25178.1.2.9) | RFC-1035 domain string | Optional |
The following attributes are requested for the SP_NOID profile:
| Attribute | Description | Required? |
|---|---|---|
| transient SAML nameID | The SAML nameID. We request a transient NameID | Required |
| eduPersonAffiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.1) | The persons affiliation with the home institution. Supported values:
| Required |
| schacHomeOrganization (urn:oid:1.3.6.1.4.1.25178.1.2.9) | RFC-1035 domain string | Optional |
SAML2 SP metadata
SP_NOID requires affiliation attributes but NO persistent Identifiers
SP_NOID
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:ns2="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"
entityID="https://inacademia.org/metadata/t01-t-test.xml">
<ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:Extensions>
<ns1:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://t01.t.inacademia.org/svs/disco" index="1"/>
<ns2:UIInfo>
<ns2:DisplayName xml:lang="en">InAcademia.org - TEST</ns2:DisplayName>
<ns2:Description xml:lang="en">The InAcademia Simple validation Sevice allows for the easy validation of
affiliation (Student, Faculty, Staff) of a user in Academia. This is a TEST instance
</ns2:Description>
<ns2:Keywords xml:lang="en">Affiliation Validation Eligibility</ns2:Keywords>
<ns2:Logo height="60" width="120" xml:lang="en">https://inacademia.org/static/logo.png</ns2:Logo>
<ns2:InformationURL xml:lang="en">https://inacademia.org/about</ns2:InformationURL>
<ns2:PrivacyStatementURL xml:lang="en">https://inacademia.org/about/privacy</ns2:PrivacyStatementURL>
</ns2:UIInfo>
</ns0:Extensions>
<ns0:KeyDescriptor use="encryption">
<ns3:KeyInfo>
<ns3:X509Data>
<ns3:X509Certificate>MIIEHTCCAwWgAwIBAgIJAN85rXmh2X8PMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJFVTETMBEGA1UECAwKU29tZS1TdGF0ZTEQMA4GA1UEBwwHVXRyZWNodDET
MBEGA1UECgwKSW5BY2FkZW1pYTEcMBoGA1UECwwTU2lnbmluZyBDZXJ0aWZpY2F0
ZTEXMBUGA1UEAwwOaW5hY2FkZW1pYS5vcmcxIjAgBgkqhkiG9w0BCQEWE3RlY2hA
aW5hY2FkZW1pYS5vcmcwHhcNMTQxMDMxMTExMTIzWhcNMjQxMDI4MTExMTIzWjCB
pDELMAkGA1UEBhMCRVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB1V0
cmVjaHQxEzARBgNVBAoMCkluQWNhZGVtaWExHDAaBgNVBAsME1NpZ25pbmcgQ2Vy
dGlmaWNhdGUxFzAVBgNVBAMMDmluYWNhZGVtaWEub3JnMSIwIAYJKoZIhvcNAQkB
FhN0ZWNoQGluYWNhZGVtaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAzGqetfNkkqINY4voyJoSBZ3zKzGcQzC7f9ei9EF2bcBk20YQY8ZTDLY6
BG7TPb0kZQbeFsOLAcup/XZ4+RQiS6WAKmqUQrn7bISn0ayWW3SBO7IBu6mi2Sg0
a+kDyEt/IUL4brUB1Ou5pL9ZYA1sNbfFc+k6PIbphlk4hnoZrdyMymlTXhv00p0S
EaqEBf3kz62yW7dZQNCwmGR6zZMTAEYz5Irrj/99776iqNfOR7upmoeWqD35HkvZ
GiJOzOxHdnabGvlBJrmLrjO4NcHIXcDCoBYfc8jfLprgll/D303f0dG2XhXSowzj
T2vQ4J4EM3Y98Q9s1aqqvzk7A46mIQIDAQABo1AwTjAdBgNVHQ4EFgQUJAE/7/YL
LSZ9qZjnQgiekxqHDwswHwYDVR0jBBgwFoAUJAE/7/YLLSZ9qZjnQgiekxqHDwsw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV/1tjVGo9EF7rzPwZrTA
aeV/TRshMFlMNyAiElMpQmpkoL79AXP7biNqBJbG5CwpBPwai6PNFkRACKeZT8WT
JsrjNUG9BtKeUxPD45RHAGjZr5UpMe6vNZb12BaUYeCfxlzpOU/7kKK5QvYwFcVY
KL+9MK0bHP0UzkefyyeU+CajYMGJc9fZGWSz3w9vcPAREEVXLc+lmCXT2Y7YoMmX
ZCGGK52oyl1XLxxGngqCUjnNrWfch5JAvq6vF/ci5cIC77ukgZB9FExkC8INwtKC
GFBECWegI4MjC6cgpz+fU28cRQW9okJkE6/ssGfZDXc8k3z1x3NJYI50rbKfCc+y
NA==
</ns3:X509Certificate>
</ns3:X509Data>
</ns3:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="signing">
<ns3:KeyInfo>
<ns3:X509Data>
<ns3:X509Certificate>MIIEHTCCAwWgAwIBAgIJAN85rXmh2X8PMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJFVTETMBEGA1UECAwKU29tZS1TdGF0ZTEQMA4GA1UEBwwHVXRyZWNodDET
MBEGA1UECgwKSW5BY2FkZW1pYTEcMBoGA1UECwwTU2lnbmluZyBDZXJ0aWZpY2F0
ZTEXMBUGA1UEAwwOaW5hY2FkZW1pYS5vcmcxIjAgBgkqhkiG9w0BCQEWE3RlY2hA
aW5hY2FkZW1pYS5vcmcwHhcNMTQxMDMxMTExMTIzWhcNMjQxMDI4MTExMTIzWjCB
pDELMAkGA1UEBhMCRVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB1V0
cmVjaHQxEzARBgNVBAoMCkluQWNhZGVtaWExHDAaBgNVBAsME1NpZ25pbmcgQ2Vy
dGlmaWNhdGUxFzAVBgNVBAMMDmluYWNhZGVtaWEub3JnMSIwIAYJKoZIhvcNAQkB
FhN0ZWNoQGluYWNhZGVtaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAzGqetfNkkqINY4voyJoSBZ3zKzGcQzC7f9ei9EF2bcBk20YQY8ZTDLY6
BG7TPb0kZQbeFsOLAcup/XZ4+RQiS6WAKmqUQrn7bISn0ayWW3SBO7IBu6mi2Sg0
a+kDyEt/IUL4brUB1Ou5pL9ZYA1sNbfFc+k6PIbphlk4hnoZrdyMymlTXhv00p0S
EaqEBf3kz62yW7dZQNCwmGR6zZMTAEYz5Irrj/99776iqNfOR7upmoeWqD35HkvZ
GiJOzOxHdnabGvlBJrmLrjO4NcHIXcDCoBYfc8jfLprgll/D303f0dG2XhXSowzj
T2vQ4J4EM3Y98Q9s1aqqvzk7A46mIQIDAQABo1AwTjAdBgNVHQ4EFgQUJAE/7/YL
LSZ9qZjnQgiekxqHDwswHwYDVR0jBBgwFoAUJAE/7/YLLSZ9qZjnQgiekxqHDwsw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV/1tjVGo9EF7rzPwZrTA
aeV/TRshMFlMNyAiElMpQmpkoL79AXP7biNqBJbG5CwpBPwai6PNFkRACKeZT8WT
JsrjNUG9BtKeUxPD45RHAGjZr5UpMe6vNZb12BaUYeCfxlzpOU/7kKK5QvYwFcVY
KL+9MK0bHP0UzkefyyeU+CajYMGJc9fZGWSz3w9vcPAREEVXLc+lmCXT2Y7YoMmX
ZCGGK52oyl1XLxxGngqCUjnNrWfch5JAvq6vF/ci5cIC77ukgZB9FExkC8INwtKC
GFBECWegI4MjC6cgpz+fU28cRQW9okJkE6/ssGfZDXc8k3z1x3NJYI50rbKfCc+y
NA==
</ns3:X509Certificate>
</ns3:X509Data>
</ns3:KeyInfo>
</ns0:KeyDescriptor>
<ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://t01.t.inacademia.org/svs/acs/redirect" index="1"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://t01.t.inacademia.org/svs/acs/post" index="2"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en">InAcademia.org - TEST</ns0:ServiceName>
<ns0:ServiceDescription xml:lang="en">The InAcademia Simple validation Sevice allows for the easy validation
of affiliation (Student, Faculty, Staff) of a user in Academia. This is a TEST instance
</ns0:ServiceDescription>
<ns0:RequestedAttribute FriendlyName="edupersonaffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute FriendlyName="schachomeorganization" Name="urn:oid:1.3.6.1.4.1.25178.1.2.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
<ns0:Organization>
<ns0:OrganizationName xml:lang="en">InAcademia</ns0:OrganizationName>
<ns0:OrganizationDisplayName xml:lang="en">InAcademia</ns0:OrganizationDisplayName>
<ns0:OrganizationURL xml:lang="en">https://inacademia.org/about</ns0:OrganizationURL>
</ns0:Organization>
<ns0:ContactPerson contactType="support">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Enduser Support</ns0:SurName>
<ns0:EmailAddress>help@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
<ns0:ContactPerson contactType="technical">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Administrative Support</ns0:SurName>
<ns0:EmailAddress>admin@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
<ns0:ContactPerson contactType="technical">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Technical Support</ns0:SurName>
<ns0:EmailAddress>tech@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
</ns0:EntityDescriptor>
Source: SAML2 Service provider
SP_ID requires affiliation attributes and a persistent Identifier
SP_ID
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:ns2="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"
entityID="https://inacademia.org/metadata/t01-p-test.xml">
<ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:Extensions>
<ns1:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://t01.t.inacademia.org/svs/disco" index="1"/>
<ns2:UIInfo>
<ns2:DisplayName xml:lang="en">InAcademia.org - TEST</ns2:DisplayName>
<ns2:Description xml:lang="en">The InAcademia Simple validation Sevice allows for the easy validation of
affiliation (Student, Faculty, Staff) of a user in Academia. This is a TEST instance
</ns2:Description>
<ns2:Keywords xml:lang="en">Affiliation Validation Eligibility</ns2:Keywords>
<ns2:Logo height="60" width="120" xml:lang="en">https://inacademia.org/static/logo.png</ns2:Logo>
<ns2:InformationURL xml:lang="en">https://inacademia.org/about</ns2:InformationURL>
<ns2:PrivacyStatementURL xml:lang="en">https://inacademia.org/about/privacy</ns2:PrivacyStatementURL>
</ns2:UIInfo>
</ns0:Extensions>
<ns0:KeyDescriptor use="encryption">
<ns3:KeyInfo>
<ns3:X509Data>
<ns3:X509Certificate>MIIEHTCCAwWgAwIBAgIJAN85rXmh2X8PMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJFVTETMBEGA1UECAwKU29tZS1TdGF0ZTEQMA4GA1UEBwwHVXRyZWNodDET
MBEGA1UECgwKSW5BY2FkZW1pYTEcMBoGA1UECwwTU2lnbmluZyBDZXJ0aWZpY2F0
ZTEXMBUGA1UEAwwOaW5hY2FkZW1pYS5vcmcxIjAgBgkqhkiG9w0BCQEWE3RlY2hA
aW5hY2FkZW1pYS5vcmcwHhcNMTQxMDMxMTExMTIzWhcNMjQxMDI4MTExMTIzWjCB
pDELMAkGA1UEBhMCRVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB1V0
cmVjaHQxEzARBgNVBAoMCkluQWNhZGVtaWExHDAaBgNVBAsME1NpZ25pbmcgQ2Vy
dGlmaWNhdGUxFzAVBgNVBAMMDmluYWNhZGVtaWEub3JnMSIwIAYJKoZIhvcNAQkB
FhN0ZWNoQGluYWNhZGVtaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAzGqetfNkkqINY4voyJoSBZ3zKzGcQzC7f9ei9EF2bcBk20YQY8ZTDLY6
BG7TPb0kZQbeFsOLAcup/XZ4+RQiS6WAKmqUQrn7bISn0ayWW3SBO7IBu6mi2Sg0
a+kDyEt/IUL4brUB1Ou5pL9ZYA1sNbfFc+k6PIbphlk4hnoZrdyMymlTXhv00p0S
EaqEBf3kz62yW7dZQNCwmGR6zZMTAEYz5Irrj/99776iqNfOR7upmoeWqD35HkvZ
GiJOzOxHdnabGvlBJrmLrjO4NcHIXcDCoBYfc8jfLprgll/D303f0dG2XhXSowzj
T2vQ4J4EM3Y98Q9s1aqqvzk7A46mIQIDAQABo1AwTjAdBgNVHQ4EFgQUJAE/7/YL
LSZ9qZjnQgiekxqHDwswHwYDVR0jBBgwFoAUJAE/7/YLLSZ9qZjnQgiekxqHDwsw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV/1tjVGo9EF7rzPwZrTA
aeV/TRshMFlMNyAiElMpQmpkoL79AXP7biNqBJbG5CwpBPwai6PNFkRACKeZT8WT
JsrjNUG9BtKeUxPD45RHAGjZr5UpMe6vNZb12BaUYeCfxlzpOU/7kKK5QvYwFcVY
KL+9MK0bHP0UzkefyyeU+CajYMGJc9fZGWSz3w9vcPAREEVXLc+lmCXT2Y7YoMmX
ZCGGK52oyl1XLxxGngqCUjnNrWfch5JAvq6vF/ci5cIC77ukgZB9FExkC8INwtKC
GFBECWegI4MjC6cgpz+fU28cRQW9okJkE6/ssGfZDXc8k3z1x3NJYI50rbKfCc+y
NA==
</ns3:X509Certificate>
</ns3:X509Data>
</ns3:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="signing">
<ns3:KeyInfo>
<ns3:X509Data>
<ns3:X509Certificate>MIIEHTCCAwWgAwIBAgIJAN85rXmh2X8PMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJFVTETMBEGA1UECAwKU29tZS1TdGF0ZTEQMA4GA1UEBwwHVXRyZWNodDET
MBEGA1UECgwKSW5BY2FkZW1pYTEcMBoGA1UECwwTU2lnbmluZyBDZXJ0aWZpY2F0
ZTEXMBUGA1UEAwwOaW5hY2FkZW1pYS5vcmcxIjAgBgkqhkiG9w0BCQEWE3RlY2hA
aW5hY2FkZW1pYS5vcmcwHhcNMTQxMDMxMTExMTIzWhcNMjQxMDI4MTExMTIzWjCB
pDELMAkGA1UEBhMCRVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB1V0
cmVjaHQxEzARBgNVBAoMCkluQWNhZGVtaWExHDAaBgNVBAsME1NpZ25pbmcgQ2Vy
dGlmaWNhdGUxFzAVBgNVBAMMDmluYWNhZGVtaWEub3JnMSIwIAYJKoZIhvcNAQkB
FhN0ZWNoQGluYWNhZGVtaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAzGqetfNkkqINY4voyJoSBZ3zKzGcQzC7f9ei9EF2bcBk20YQY8ZTDLY6
BG7TPb0kZQbeFsOLAcup/XZ4+RQiS6WAKmqUQrn7bISn0ayWW3SBO7IBu6mi2Sg0
a+kDyEt/IUL4brUB1Ou5pL9ZYA1sNbfFc+k6PIbphlk4hnoZrdyMymlTXhv00p0S
EaqEBf3kz62yW7dZQNCwmGR6zZMTAEYz5Irrj/99776iqNfOR7upmoeWqD35HkvZ
GiJOzOxHdnabGvlBJrmLrjO4NcHIXcDCoBYfc8jfLprgll/D303f0dG2XhXSowzj
T2vQ4J4EM3Y98Q9s1aqqvzk7A46mIQIDAQABo1AwTjAdBgNVHQ4EFgQUJAE/7/YL
LSZ9qZjnQgiekxqHDwswHwYDVR0jBBgwFoAUJAE/7/YLLSZ9qZjnQgiekxqHDwsw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV/1tjVGo9EF7rzPwZrTA
aeV/TRshMFlMNyAiElMpQmpkoL79AXP7biNqBJbG5CwpBPwai6PNFkRACKeZT8WT
JsrjNUG9BtKeUxPD45RHAGjZr5UpMe6vNZb12BaUYeCfxlzpOU/7kKK5QvYwFcVY
KL+9MK0bHP0UzkefyyeU+CajYMGJc9fZGWSz3w9vcPAREEVXLc+lmCXT2Y7YoMmX
ZCGGK52oyl1XLxxGngqCUjnNrWfch5JAvq6vF/ci5cIC77ukgZB9FExkC8INwtKC
GFBECWegI4MjC6cgpz+fU28cRQW9okJkE6/ssGfZDXc8k3z1x3NJYI50rbKfCc+y
NA==
</ns3:X509Certificate>
</ns3:X509Data>
</ns3:KeyInfo>
</ns0:KeyDescriptor>
<ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</ns0:NameIDFormat>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://t01.t.inacademia.org/svs/acs/redirect" index="1"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://t01.t.inacademia.org/svs/acs/post" index="2"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en">InAcademia.org - TEST</ns0:ServiceName>
<ns0:ServiceDescription xml:lang="en">The InAcademia Simple validation Sevice allows for the easy validation
of affiliation (Student, Faculty, Staff) of a user in Academia. This is a TEST instance
</ns0:ServiceDescription>
<ns0:RequestedAttribute FriendlyName="edupersonaffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute FriendlyName="schachomeorganization" Name="urn:oid:1.3.6.1.4.1.25178.1.2.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<ns0:RequestedAttribute FriendlyName="edupersontargetedid" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<ns0:RequestedAttribute FriendlyName="edupersonprincipalname" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
<ns0:Organization>
<ns0:OrganizationName xml:lang="en">InAcademia</ns0:OrganizationName>
<ns0:OrganizationDisplayName xml:lang="en">InAcademia</ns0:OrganizationDisplayName>
<ns0:OrganizationURL xml:lang="en">https://inacademia.org/about</ns0:OrganizationURL>
</ns0:Organization>
<ns0:ContactPerson contactType="support">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Enduser Support</ns0:SurName>
<ns0:EmailAddress>help@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
<ns0:ContactPerson contactType="technical">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Administrative Support</ns0:SurName>
<ns0:EmailAddress>admin@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
<ns0:ContactPerson contactType="technical">
<ns0:GivenName>InAcademia</ns0:GivenName>
<ns0:SurName>Technical Support</ns0:SurName>
<ns0:EmailAddress>tech@inacademia.org</ns0:EmailAddress>
</ns0:ContactPerson>
</ns0:EntityDescriptor>
Source: SAML2 Service provider
=====================
Only deals with 'serialization' of trans
- actions into the SAML SP domain
- Publish SP metadata for both SPs (can also be done manually)
- Publish metadata in eduGAIN via federation
- (for now) Always Force AuthN (Is ForceAuthN required in the SAML spec?)
- 2 SPs with different ATTR policy
- affiliation only
- affiliation + identifier
- saml2int
- incoming attributes
- eduPersonAffiliation (required)
- Persistent NameID or epTID or ePPN (either, optional)
- Deliver document to live up to code of conduct
- Admin contact
- Technical Ccontact
- Support Contact
- Dynamically handle incoming SAML metadata eduGAIN
- Trim down this info to e.g. entityid, acs location, a hash of teh certificate
- Run that at near the [admin] node, and push out well known config to nodes.
- No need to deal with IdP key rollover (is part of the metadata)
- Add a feature so the discovery sevice can return data for non-edugain members and act accordingly (see [SvS Proxy] Discovery Service)
RelayState
It is a requirement to keep the nodes stateless. As such a request from an RP on node 1 could return on node 2. Since no state is shared between nodes via e.g. shared DB or the likes, the state must be transported as part of the transaction. For this we use the SAML relay state, which is filled with a combination of state parametes, which are then encrypted using a symmetric mechanism using keys only known to the nodes. The keys are cycled periodically, e.g. every 10 minutes, and only teh current and 2 historic keys will be accepted. THis gives the user 30 min. to complete the authentication from the time the SP set up the request to the IdP.
- The relaystate will be a tuple of the relaystate and a combination of (RP clientid, nonce, state). The latter will be encrypted using a shared key that is pushed to the nodes by the [ADMIN] git (JWE)
- Keys on nodes will be cyled every 10 min.
- We only allow may 3 keys (so max 30 min.)