...
Condition Evaluated | Reason | |
E1 | entityID attribute value has no space characters, starts with http:// or https:// or urn: and must be unique within given feed | [SAMLmeta], [SAML] 1.3.2 |
E2 | md:Extensions element with mdrpi:RegistrationInfo is defined and registrationAuthority attribute matches the value registered with the eduGAIN OT for a given federation | [eduGAIN-profile] sec. 3 |
E3 | if within md:ContactPerson element any of the following elements is declared: GivenName, Surname, EmailAddress, TelephoneNumber - its values must not be empty | [SAMLmeta], [SAML] 1.3.1 |
E4 | md:OrganizationDisplayName, md:OrganizationName, md:OrganizationURL elements are not empty SAMLMeta 2.3.2.1, SAML 1.3.1 i 1.3.2 | [eduGAIN-profile] sec. 3 |
E5 | if md:Organization element is declared with md:OrganizationDisplayName and/or md:OrganizationName and/or md:OrganizationURL elements then values of these elements must not be empty | [SAMLmeta], [SAML] 1.3.2, [SAML] 1.3.1 |
E6 | md:ContactPerson exists with technical or support contactType | [eduGAIN-profile] sec. 3 |
E7 | md:EmailAddress in md:ContactPerson element must start with mailto: prefix - not impmemented as error yet | [SAMLmeta] sec. 2.3.2.2, line 495 |
E8 | mdrpi:RegistrationInfo element defined more than once within a given md:Extensions element | [MDRPI] sec. 2.1 |
E9 | mdattr:EntityAttributes element appears more than once within a given md:Extensions element | [MEEA] sec 2.3 |
For each role descriptor element declared under md:EntityDescriptor the following verification is performed:
Condition Evaluated | Reason | |
R1 | md:IDPSSODescriptor element must have a signing certificate (ds:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate) | |
R2 | if md:Extentions element with md:UIInfo exists:
| [MDUI] sec. 2.1, [SAML] sec.1.3.1, [SAML] sec.1.3.2 |
R3 | if md:Extentions element with md:DiscoHints exist:
| [MDUI] sec.2.2, [SAML] sec.1.3.1, [SAML] sec .1.3.2, RFC5870 (for geo) |
R4 | md:ServiceName element within md:AttributeConsumingService is not empty | SAMLMeta 2.4.4.1, SAML 1.3.1 |
R5 | md:AssertionConsumerService element Binding attribute does not contain urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | [SAMLProf] sec. 4.1.2 line 424 |
R6 | md:DiscoveryResponse element Binding attribute contains the value | [IdPDisco] sec.2.5 |
R7 | indexes in md:DiscoveryResponse, md:AssertionConsumerService, md:AttributeConsuminService are unique | [SAMLMeta] sec.2.2.3 |
...
[MEEA] http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html
[IdPDisco] http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
...
[SAMLMetaIoP] https://www.oasis-open.org/committees/download.php/36645/draft-sstc-metadata-iop-2.0-01.pdf
[eduGAIN-Profile] https://github.com/REFEDS/SAML-Profile/blob/master/edugain-saml-profile.md
...