diff --git a/edugain-saml-profile.md b/edugain-saml-profile.md index 57e8f91..ab1340a 100644 --- a/edugain-saml-profile.md +++ b/edugain-saml-profile.md @@ -70,6 +70,8 @@ SAML Metadata Producers MUST publish a SAML Metadata Registration Practice State SAML Metadata Producers MUST NOT register any Identity or Attribute Providers with scopes (i.e., `` elements as defined in [ShibMD]) without checking the validity and purpose of the claim. SAML Metadata Producers MAY publish entities that represent multiple scopes. +SAML Metadata Producers MUST NOT register any Identity or Attribute Providers that do not signal the https://refeds.org/assurance and https://refeds.org/assurance/ID/unique values of eduPersonAssurance [RAF]. + ## 3. SAML Metadata Production SAML Metadata Producers MUST adhere to the following requirements when producing SAML Metadata for aggregation in eduGAIN. Support for these requirements is fully described in the eduGAIN Metadata Aggregation Practice Statement [eduGAIN-MAPS]. @@ -88,13 +90,14 @@ Each `` element MUST contain: * ``. * ``. * `` with `contactType="technical"` and/or `contactType="support"`. +* 'md:ContactPerson> with 'contactType="https://refeds.org/metadata/contactType/security"' as defined in the REFEDS Security Contact Metadata Extension Schema [Security-Contact]. * `entityID` prefixes that start with either `urn:`, `https://`, or `http://` only. The `` SHOULD contain: * ``. -* If the `` contains `` it SHOULD contain an `` element and `` element. -* If the `` contains `` it SHOULD contain an `` element, `` element and an `` element with a value in English. Where the service supports other languages, these values SHOULD be supported for those languages. +* If the `` contains `` it SHOULD contain an `` element, an`` and an element. +* If the `` contains `` it SHOULD contain an `` element, `` elementm an `` element with a value in English and an element. Where the service supports other languages, these values SHOULD be supported for those languages. * If an `` element is present, the logo MUST be expressed as a Data URI (embedded logo) or an https URL. URLs used for this element MUST be publicly accessible. ## 4. SAML Metadata Signing @@ -149,10 +152,12 @@ For more information on how validations and warnings are supported by the eduGAI * [eduGAIN-VAL] eduGAIN Metadata Validator: https://validator.edugain.org/ * [MDRPI] SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf * [MDUI] SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf +* [RAF] REFEDS Assurance Framework: https://refeds.org/wp-content/uploads/2023/12/RAF-2.0-Final-version.pdf * [REFEDS-MRPS] REFEDS Metadata Registration Practice Statement Template: https://github.com/REFEDS/MRPS * [RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14, RFC 2119, March 1997: https://www.ietf.org/rfc/rfc2119.txt * [SAMLCore] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf * [SAMLMeta] Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0: http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf * [SAMLMetaErrata] http://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf * [SAMLMetaIoP] SAML V2.0 Metadata Interoperability Profile Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.pdf +* [Security-Contact] https://refeds.org/metadata/contacttype/security. * [ShibMD] ShibMetaExt V1.0: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0