Versions Compared

Old Version 11

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 12

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Condition Evaluated

Reason

E1

entityID attribute value has no space characters, starts with http:// or https:// or urn: and must be unique within given feed

[SAMLmeta], [SAML] 1.3.2

E2

md:Extensions element with mdrpi:RegistrationInfo is defined and registrationAuthority attribute matches the value registered with the eduGAIN OT for a given federation

[eduGAIN-profile] sec. 3

E3

if within md:ContactPerson element any of the following elements is declared: GivenName, Surname, EmailAddress, TelephoneNumber - its values must not be empty

[SAMLmeta],

 [SAML] 1.3.1

E4md:OrganizationDisplayName, md:OrganizationName, md:OrganizationURL elements are not empty SAMLMeta 2.3.2.1, SAML 1.3.1 i 1.3.2[eduGAIN-profile] sec. 3

E5

if md:Organization element is declared with md:OrganizationDisplayName and/or md:OrganizationName and/or md:OrganizationURL elements then values of these elements must not be empty

[SAMLmeta],

[SAML] 1.3.2,

 [SAML] 1.3.1

E6md:ContactPerson exists with technical or support contactType[eduGAIN-profile] sec. 3


For each role descriptor element declared under md:EntityDescriptor the following verification is performed:


Condition Evaluated

Reason

R1

md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate)


R2

if md:Extentions element with md:UIInfo exists:

  • mdui:Keywords, mdui:DisplayName, mdui:Description elements if declared must not be empty

  • mdui:Logo element if is declared must have a value starting with one of: http://, https:// or data:image

  • mdui:PrivacyStatementURL element if declared must have value starting with http:// or https://

[MDUI] sec. 2.1, [SAML] sec.1.3.1, [SAML] sec.1.3.2

R3

if md:Extentions element with md:DiscoHints exist:

  • mdui:IPHint, mdui:DomainHint, mdui:GeolocationHint elements if declared must not be empty

  • mdui:GeolocationHint element if declared must not be empty and must start with geo: prefix

[MDUI] sec.2.2, [SAML] sec.1.3.1, [SAML] 1.3.2, RFC5870 (for geo)
R4mdui:Logo contains width and height attributes
R5md:ServiceName element within md:AttributeConsumingService is not emptySAMLMeta 2.4.4.1, SAML 1.3.1
R6md:AssertionConsumerService element Binding attribute does not contain urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
R7

md:DiscoveryResponse element Binding attributes does not contain
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol

[IdPDisco] sec.2.5
R8indexes in md:DiscoveryResponse, md:AssertionConsumerService, md:AttributeConsuminService are unique[SAMLMeta] sec.2.2.3


Resulting Resulting eduGAIN metadata aggregate

...

This document borrows heavily from Ian Young’s Young’s https://gist.github.com/iay/7486653

References

[SAML] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

[SAMLMeta] https://

...

docs.

...

oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

[MDRPI] http

...

References

...

://docs.oasis-open.org/security/saml

...

/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-

...

rpi-

...

v1.0-

...

cs01.

...

html

[

...

MDUI]

...

 http://docs.oasis-open.org/security/saml/

...

Post2.0/sstc-saml-metadata-

...

ui/v1.0

...

/sstc-saml-metadata-ui-v1.0.html

[IdPDisco]

...

[MDRPI] http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/sstc-saml-metadataidp-rpi-v1.0-cs01.htmldiscovery.pdf

[eduGAIN-Profile]

[eduGAIN-OPS]

...