Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DRAFTVersion 2020-04-22

This document specifies recommendations for upstream metadata produced by eduGAIN participants. Failure to comply with these recommendations will result in a warning produced by the eduGAIN metadata validator using the eduGAIN SAML profile v2.

The recommendations are organised as a set of rules which may be easily verified by the eduGAIN metadata validator.

The rules table below lists currently implemented validator warnings, those marked red are actually specification errors and should be upgraded to validator errors (to be discussed within the eduGAIN SG)

The significance column is meant for possible future use, i.e. grouping problems in order to solve the most important first. Proposed significance range is from 1 (least significant) to 5 (most significant). If found useful, this classification should be subject to a future discussion in the eduGAIN SG.



ConditionLevelSignificanceReason
Global warnings
1

Signing certificate expired

1-global1Currently implemented as a validator warning. To be confirmed by the SG.

Warnings on entity level

2md:EmailAddress in md:ContactPerson element should start with mailto: prefix2-entity4This violates line 495 of https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf and should be considered an error!
3

SIRTFI attribute present and security

contact found but no 

ContactPerson definition found but attribute value of {http://refeds.org/metadata}contactType not equal http://refeds.org/metadata/contactType/security

 contactType

 

2-entity2SIRTFI specification error
4

SIRTFI attribute

declared

present but no

appropriate md:ContactPerson set9

security ContactPerson definition found

2-entity2SIRTFI specification error
5

shibmd:Scope with no regexp attribute

2-entity5https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0 recommendation
6

mdattr:EntityAttributes placed in md:Extensions element of SPSSODescriptor/IDPSSODescriptor, expected in  md:Extensions element of md:EntityDescriptor

2-entity1Since http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html does not define appearance of this element in places other then md:Extensions element of EntityDescriptor it is most likely that the condition is a result of a mistake.
7

mdrpi:RegistrationPolicy not found

2-entity3

eduGAIN SAML profile Section 3

8

mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element

This violates http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html section 2.1 therefore should be an error

mdattr:EntityAttributes element contains saml:AttributeValue with leading/trailing whitespaces

10
2-entity3
9

mdattr:

EntityAttributes element appears more than once within a given md:Extensions element Violates http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html section 2.3, therefore should be an error.

EntityAttributes element contains duplicated saml:Attribute / saml:AttributeValue declaration

2-entity??
10

Warnings on entity’s role level

11
mdui:UIInfo
not
found
, no
but mdui:DisplayName
and mdui:Description
not present3-role3eduGAIN SAML profile Section 3
12
11mdui:UIInfo
with mdui:DisplayName
found but no mdui:
Description not present
Logo element3-role1eduGAIN SAML profile Section 3
12mdui:UIInfo / mdui:DisplayName does not have English value3-role??
13mdui:UIInfo not found
but
, no mdui:DisplayName
not present
and mdui:Description present3-role (SP-only)3eduGAIN SAML profile Section 3
14mdui:UIInfo
found but neither
with mdui:DisplayName
nor
found but mdui:Description not present3-role (SP-only)3eduGAIN SAML profile Section 3
15mdui:UIInfo found but
no mdui:Logo element
neither mdui:DisplayName nor mdui:Description present3-role (SP-only)3eduGAIN SAML profile Section 3
16
this SP
mdui:GeolocationHint value does not
provide requested attribute specificationleft from saml2int - should it be kept?
conform to coordinates specification [RFC5870] (missing longitude)3-role3RFC5870
17Data Protection Code of Conduct declared but no mdui:PrivacyStatementURL found3-role4Violates the CoCo spec
18
CoCo declared

Data Protection Code of Conduct declared but md:RequestedAttribute element not found

3-role4Violates the CoCo spec
19
CoCo declared but

mdui:

PrivacyStatementURL and md:RequestedAttribute elements not foundViolates the CoCo spec

Global warnings

Some SP does not provide requested attribute specification– chyba można pominąć, bo pojawiają się te warningi na poziomie role

...

Logo content size is larger than 40000 and smaller than 50000 characters

3-role
Decided by eduGAIN SG
20

mdui:Logo content size is 50000 or more characters

3-role
Decided by eduGAIN SG
21

R&S Category declared but the SP does not provide required mdui:DisplayName

3-role4R&S spec 4.3.3
22R&S Category declared but the SP does not provide required mdui:InformationURL3-role (SP only)4R&S spec 4.3.3
23

R&S Category declared but the SP does not provide the required Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST in md:AssertionConsumerService

3-role (SP only)4R&S spec 4.3.1
24

R&S Category declared but the SP does not provide any technical contact

2-entity4R&S spec 4.3.4
25

Some entities do not have an encryption certificate

1-global

26

SP has a wrong signing certificate

...

3-role (SP-only)

27

SP has no

...

encryption certificate

...

3-role (SP-only)