Versions Compared

Old Version 10

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 11

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • a federation metadata channel,;

  • an RSA / EC public key with which the metadata metadata feed document will be signed. This ; this will normally be made available in the form of an X.509 certificate,;

  • the registrationAuthority attribute value to be associated with the federation metadata feed.

...


condition evaluated

reason

S1

The signature exists and is valid

eduGAIN-profile] section 4

S2

The signature can be validated with the public key configured for the federation metadata channel

[eduGAIN-profile] section 4

S3The signature was made using an explicit ID reference, not an empty reference[eduGAIN-profile] section 4
S4The signature reference refers to the document element [eduGAIN-profile] section 4
S5

The signature's digest algorithm is at least as strong as SHA-256, and does not use MD5
or SHA-1

[eduGAIN-profile] section 4
S6

The signature's signature method is RSA with an associated digest at least as strong as
SHA-256 and does not use MD5 or SHA-1

[eduGAIN-profile] section 4
S7

The signature's transforms contain only these permissible values:

  • Enveloped signature.
  • Exclusive canonicalisation with or without comments.
[eduGAIN-profile] section 4


Verification of metadata validity

...


Condition Evaluated

Reason

A1

the document root element is md:EntitiesDescriptor

[SAMLMeta] sec. 2.3

A2

all required namespaces are declared, that is xmlns: md, xmlns: mdrpi, xmlns:ds., mdui, shibmd

[eduGAIN-profile] sec. 1.3

A3

md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher and creationInstant attributes exist

[eduGAIN-Profile] sec. 3
A4the creationInstant attribute uses the dateTime format required by SAMLMeta and does not point to the futureSAMLMeta [MDRPI] sec. 2.2.1

A5

validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past

[SAML] lines: 348; 316

A6

validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstant

[eduGAIN-profile] sec. 3

A7

the fetched document schema-validates against following SAML metadata schemas:

list of schemas from Shibboleth Metadata Aggregator configuration


For each md:EntityDescriptor element the following verification is performed:


Condition Evaluated

Reason

E1

entityID attribute value has no space characters, starts with http:// or https:// or urn: and must be unique within given feed

[SAMLmeta, ^anyURI], [SAML] 1.3.2

E2

md:Extensions element with mdrpi:RegistrationInfo is defined and registrationAuthority attribute matches the value registered with the eduGAIN OT for a given federation

[eduGAIN-profile]

E3

if within md:ContactPerson element any of the following elements is declared: GivenName, Surname, EmailAddress, TelephoneNumber - its values must not be empty

[SAMLmeta],

^string

 [SAML] 1.3.1

E4md:OrganizationDisplayName, md:OrganizationName, md:OrganizationURL elements are not empty SAMLMeta 2.3.2.1, SAML 1.3.1 i 1.3.2[eduGAIN-profile] sec. 3

E5

E4

if md:Organization element is declared with md:OrganizationDisplayName and/or md:OrganizationName and/or md:OrganizationURL elements then values of these elements must not be empty

[SAMLmeta],

^anyURI

^string

...

[SAML] 1.3.2,

...

 [SAML] 1.3.1


For each role descriptor element declared under md:EntityDescriptor the following verification is performed:

...

[SAMLMeta] https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

[MDRPI] http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html

[eduGAIN-Profile]

[eduGAIN-OPS]

...