List of things that we expect of SAML federations in eduGAIN. I've left out the Attribute profile document for now as the plan is to scrap this and instead refer to processes for attribute release management (e.g. entity categories and more general recommendations) as a recommended best practice rather than giving a list of attributes.
We also need to work on consolidating the sets of instructions we have for "joining" eduGAIN. At the moment there is:
- https://wiki.edugain.org/General_process_for_an_identity_federation_to_join_eduGAIN.
- https://technical.edugain.org/joining_checklist.
- https://wiki.edugain.org/index.php?title=Best_Current_Practices_Guide_for_Joining_eduGAIN_as_a_Federation&action=view.
- Policy documents.
What | Status | Currently described? | Why? | Validation Check | Comments | ||||
---|---|---|---|---|---|---|---|---|---|
Metadata Signing
| mandatory optional | https://validator.edugain.org/ | Should become part of SAML participation checklist.
| Is it possible to define a level for when new federations start to partcipate and when a federation do a key rollover. And then set an end date for a lower level of encryption? (from Pål)
Add something here about acceptable methods for validating the key with the edugain Op? | |||||
Website
| mandatory | no requirement in Constitution | https://technical.edugain.org/status | ||||||
Policy Documents
| mandatory url |
| https://technical.edugain.org/status What about document changes? | MRPS - part of SAML Profile and SAML participation checklist?
Part of Constitution / Joining checklist | |||||
Contacts
| mandatory email |
Joining Checklist / Constitution.
| https://technical.edugain.org/status ....but we don't necessarily regularly check that contacts are valid and up-to-date. | Delegates are part of Constitution / joining checklist. Make operational contact part of SAML profile? | |||||
Metadata Requirements
| mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | ||||||
| semi-mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | ||||||
| semi-mandatory in an optional profile | Metadata Profile. MAPS does not exist. | https://validator.edugain.org/ | ||||||
| mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | ||||||
| semi-mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | add scope extension and rules about this here? NSR: I would recommend adding scope extension expectations in a requirement specfically related to IdP/AA entity descriptors. | |||||
| semi-mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ - but validator treats these as if mandatory | ||||||
| semi-mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | Why are we giving Service Providers instructions in a document for FOs? This needs to be rewritten as instruction to FO.
+1 | |||||
| semi-mandatory in an optional profile | Metadata Profile | https://validator.edugain.org/ | ||||||
SAML Deployment Profile
| optional | WebSSO profile. Current issues with recommendations in SAML2int and old reference used in document. | none - FedLab? | Does it make sense for eduGAIN to have an opinion on deployment profiles?
No, I don't think it does. I would remove any mention of saml2int. Instead, you may want to include a requirement in the eduGAIN SAML tech profile to use the OASIS SAML metadata specification for the exchange of SAML entity information. | |||||
Things that come up
| Publishing and complaints mostly dealt with in declaration. |