...
3no validUntil attribute in EntitiesDescriptor elementErroreduGAIN Policy
condition evaluated | severity | reason | |
---|---|---|---|
1 | EntitiesDescriptor element SHOULD contain the ID attribute used in signature's ds:Reference | Warning | see [1] |
2 | validUntil attribute in EntitiesDescriptor element can not be converted to a time value | Error | SAMLv2; line 348 |
4 | validUntil attribute in EntitiesDescriptor element has time value in the past | Error | SAMLv2; line 316 |
5 | validUntil attribute in EntitiesDescriptor element has value later than 28 days | Error | eduGAIN Policy |
6 | cacheDuration attribute in EntitiesDescriptor element has value not between 1-6 hours | Warning | eduGAIN Policy |
7 | cacheDuration attribute in EntitiesDescriptor element does not contain a valid period | Warning | eduGAIN Policy |
8 | EntitiesDescriptor does not contain PublicationInfo | Warning | eduGAIN Policy |
9 | EntitiesDescriptor contains PublicationInfo with publisher value but neither creationInstant nor publicationID is given | Warning | eduGAIN Policy |
10 | EntitiesDescriptor contains PublicationInfo but no publisher value is given | Error | eduGAIN Policy |
11 | creationInstant attribute in PublicationInfo element has time value in the future | Warning | common sense |
12 | EntityDescriptor does not contain entityId attribute | Error | SAMLv2; line 371 |
13 | entityId attribute value contains spaces | Error | SAMLv2; line 1368??? |
14 | entityId attribute value does not start with one of the following values: http://, https://, urn: | Error | |
15 | EntityDescriptor does not contain mdrpi:RegistrationInfo element | Error | eduGAIN Policy |
16 | No Organization element | Warning | eduGAIN Policy |
17 | Some IdP entities do not have any signing certificate or a signing key is wrong | Error | |
18 | Some SP entities do not have any signing certificate | Warning | |
19 | Some SP entities have wrong certificate | Warning | |
20 | "Weak" certificate | Warning | |
21 | IDPSSODescriptor/SPSSODescriptor has no mdui:UIInfo with DisplayName and Description | Warning | eduGAIN Policy |
22 | IDPSSODescriptor/SPSSODescriptor has mdui:UIInfo but DisplayName or Description | Warning | eduGAIN Policy |
23 | SPSSODescriptor has no md:RequestedAttribute and R&S category is not declared | Warning | eduGAIN Policy |
24 | Empty element while checking: OrganizationName, OrganizationDisplayName, OrganizationURL, GivenName, SurName, EmailAddress, TelephoneNumber, IPHint, Domain, GeolocationHint | Warning | |
25 | GeolocationHint does not start with geo: | Warning | |
26 | Scope element declared but regexp attribute missing | Warning | |
27 | CoCo declared for SP but RequestedAttribute element not found or/and PolicyStatementURL missing | Warning | CoCo |
Anchor 1 1
Explanations
- [1] This topic has been disussed in the fog list in the The joy of signing metadata - thread. According to SAMLv1 sec 3.1.2 a reference to the signed element is REQUIRED and this reference needs to be passed trough an explicit identifier attribute value. In particular the XML DSIG allowed approach with the refference in the format URI="" is not allowed within SAML. The warning given by the validator will be turned into an error once all eduGAIN federations are fixed.
...
References
- SAMLv2: https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
- SAMLv2rpi https://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.pdf
- eduGAIN Policy: httphttps://servicestechnical.geantedugain.net/edugain/Resources/Documentsorg/doc/eduGAIN_metadata_profile.pdf (page not found)
- CoCo: https://wiki.refeds.org/download/attachments/1606124/GEANT_DP_CoCo_Entity_Category_ver1.2.pdf
...