Versions Compared

Old Version 6

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 7

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The terms defined below are a required extension of the terminology defined in [eduGAIN-Profile]. The reader should consult both dictionaries for a complete picture.

federation metadata feedA SAML metadata file originating from a participant federation acting as a SAMLMetadataProducer
eduGAIN matadata aggregateA SAML metadata file obtained as an aggregate of federation metadata feeds according to the procedures described in this document
federation metadata channelA location (in the form of http/https URL) pointing to the distribution source of the federation metadata feed

Source of metadata

MDS bases its aggregation function on information provided by each participant Federation as specified in [eduGAIN-Profile]:

...


Condition Evaluated

Reason

A1

the document root element is md:EntitiesDescriptor


A2

all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds.


A3

if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher and creationInstant attributes exist

eduGAIN Profile
A4the creationInstant attribute uses the dateTime format required by SAMLMeta and does not point to the futureSAMLMeta sec. 2.2.1

A5

validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past

SAML lines: 348; 316

A6

validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant

eduGAIN-profile

A7

the fetched document schema-validates against following SAML metadata schemas:


...


Condition Evaluated

Reason

R1

md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate)


R2

if md:Extentions element with md:UIInfo exists:

  • mdui:Keywords, mdui:DisplayName, mdui:Description elements if declared must not be empty

  • mdui:Logo element if is declared must have a value starting with one of: http://, https:// or data:image

  • mdui:PrivacyStatementURL element if declared must have value starting with http:// or https://


R3

if md:Extentions element with md:DiscoHints exist:

  • mdui:IPHint, mdui:DomainHint, mdui:GeolocationHint elements if declared must not be empty

  • mdui:GeolocationHint element if declared must not be empty and must start with geo: prefix


...

  • If the remaining validity period is below 96 and above 12 hours an alert is raised once a day at 14 hour UTC,
  • If the remaining validity period is below 12 and above 6 hours an alert is raised every second hour,
  • If the remaining validity period is below 6 hours an alert i is raised every hour.

Detailed technical description

...