Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • MUST support for OpenID Connect Core 1.0 [OIDC-Core]
  • MUST support retrieving the Identity Provider’s configuration based on the Issuer information using the OIDC-Discovery specification [OIDC-Discovery]
  • MUST support the relevant scopes and claims that the GÉANT AAI Service is making available  [GN-Attrs
  • MUST identify users using one of the User Identifier claims described in [GN-Attrs-UserID].
  • Grant access rights and authorise users based on the group and role information made available to the service from the GEANT AAI Service during the authentication of the user using the Group attribute: [GN-Attrs-Groups]
  • utilising the authorization grant type SHOULD use PKCE [RFC7636] in conjunction with the authorisation server in order to detect and prevent attempts to inject (replay) authorisation codes into the authorisation response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started. OpenID Connect relying parties MAY use the "nonce" parameter of the OpenID Connect authentication request as specified in [OIDC-Core] in conjunction with the corresponding ID Token claim for the same purpose.
  • SHALL NOT use the implicit grant and any other response type causing the authorization server to issue an access token in the authorization response.
  • MUST comply with one or more of the relevant security configurations described in [GN-OIDC-Client-Conf-Options]
  • MUST support requesting Claims about the End-User and the Authentication event using specific scope values as described in [OIDC-Core]. Claims which are not part of the standard set of claims defined in [OIDC-Core] SHOULD be requested following the mapping recommendations described in [GN-Attrs]
  • MUST provide one or more Redirection URI to which authentication responses from the GEANT AAI Service will be sent. The GEANT AAI Service utilises exact matching of the redirect URI specified in an authentication request against the Redirection URIs [OAuth2-BCP], with the matching performed as described in [RFC3986] (Simple String Comparison). Redirection URIs MUST use the schemata defined in Section 3.1.2.1 of the [OIDC-Core] specification.
  • MUST support the REFEDS Assurance Framework [RAF], if they require to evaluate user assurance levels
  • MUST support [REFEDS-MFA], if they require to signal the requirement for multi-factor authentication (MFA)

Example of the SP metadata (under work)

Code Block
languagexml
titleSP-metadata-example
linenumberstrue
<?xml version="1.0"?>

  <md:EntityDescriptor 
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  entityID="https://sp01.devtest.eduteams.org/saml/default-sp">

  <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <!-- Required for R&S SPs -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
        <!-- Required for Production SPs -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required for SPs supporting Sirtfi -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required to signal the requirement for the release of subject-id -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>any</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false">
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <!-- Required: Change it for your SP -->
        <mdui:DisplayName xml:lang="en">eduTEAMS Test Service Provider (SP01)</mdui:DisplayName>
        <!-- Required: Change it for your SP -->
<mdui:Description         <mdui:Description xml:lang="en">eduTEAMS Service Provider used in development and test environments (SP01)</mdui:Description>
        <!-- Required for Production: Change it for your SP -->
        <mdui:PrivacyStatementURL xml:lang="en">https://wiki.geant.org/display/eduTEAMS/Privacy+Policy</mdui:PrivacyStatementURL>
        <!-- Required: Change it for your SP -->
        <mdui:Logo width="200" height="200">https://www.eduteams.org/img/logo.png</mdui:Logo>
        <mdui:Logo width="16" height="16">https://www.eduteams.org/img/logo_small.png</mdui:Logo>
        <!-- Optional: Change it for your SP -->
<mdui        <mdui:InformationURL xml:lang="en">https://www.eduteams.org</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>
    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <!-- Optional: Change it for your SP -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp01.devtest.eduteams.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <!-- Required -->
    <!-- 
    In the list below all the attributes are requested. If your SP 
    needs less attributes, the list has to be modified accordingly.
    Check the attributes supported by the AAI service you are using. 
    -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp01.devtest.eduteams.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AttributeConsumingService index="0">
      <md:ServiceName xml:lang="en">eduTEAMS Test Service Provider</md:ServiceName>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" FriendlyName="eduPersonUniqueId" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID" isRequired="true"/>

      <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliation" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" FriendlyName="eduPersonScopedAffiliation" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" FriendlyName="eduPersonAssurance" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" FriendlyName="eduPersonOrcid" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13" FriendlyName="sshPublicKey" isRequired="true"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>

  <!-- Required: Change it for your SP -->
  <md:Organization>
    <md:OrganizationName xml:lang="en">GEANT</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">GEANT</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://www.geant.org</md:OrganizationURL>
  </md:Organization>
  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="administrative">
    <md:EmailAddress>mailto:admin@eduteams.org</md:EmailAddress>
  </md:ContactPerson>
  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="technical">
    <md:EmailAddress>mailto:support@eduteams.org</md:EmailAddress>
  </md:ContactPerson>
  <!-- Required for SPs supporting Sirtfi: Change it for your SP -->
  <md:ContactPerson xmlns:remd="http://refeds.org/metadata" 
contactType="other" 
remd:contactType="http://refeds.org/metadata/contactType/security">
    <md:GivenName>eduTEAMS Service</md:GivenName>
    <md:EmailAddress>mailto:security@eduteams.org</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

...