Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions edugain-saml-profile.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ SAML Metadata Producers MUST publish a SAML Metadata Registration Practice State

SAML Metadata Producers MUST NOT register any Identity or Attribute Providers with scopes (i.e., `<shibmd:Scope>` elements as defined in [ShibMD]) without checking the validity and purpose of the claim. SAML Metadata Producers MAY publish entities that represent multiple scopes.

SAML Metadata Producers MUST NOT register any Identity or Attribute Providers that do not signal the https://refeds.org/assurance and https://refeds.org/assurance/ID/unique values of eduPersonAssurance [RAF].

## 3. SAML Metadata Production

SAML Metadata Producers MUST adhere to the following requirements when producing SAML Metadata for aggregation in eduGAIN. Support for these requirements is fully described in the eduGAIN Metadata Aggregation Practice Statement [eduGAIN-MAPS].
Expand All @@ -88,13 +90,14 @@ Each `<md:EntityDescriptor>` element MUST contain:
* `<md:OrganizationDisplayName>`.
* `<md:OrganizationURL>`.
* `<md:ContactPerson>` with `contactType="technical"` and/or `contactType="support"`.
* 'md:ContactPerson> with 'contactType="https://refeds.org/metadata/contactType/security"' as defined in the REFEDS Security Contact Metadata Extension Schema [Security-Contact].
* `entityID` prefixes that start with either `urn:`, `https://`, or `http://` only.

The `<md:EntityDescriptor>` SHOULD contain:

* `<mdrpi:RegistrationPolicy>`.
* If the `<md:EntityDescriptor>` contains `<md:IDPSSODescriptor>` it SHOULD contain an `<mdui:DisplayName>` element and `<mdui:Logo>` element.
* If the `<md:EntityDescriptor>` contains `<md:SPSSODescriptor>` it SHOULD contain an `<mdui:DisplayName>` element, `<mdui:Logo>` element and an `<mdui:Description>` element with a value in English. Where the service supports other languages, these values SHOULD be supported for those languages.
* If the `<md:EntityDescriptor>` contains `<md:IDPSSODescriptor>` it SHOULD contain an `<mdui:DisplayName>` element, an`<mdui:Logo>` and an <mdui:PrivacyStatementURL> element.
* If the `<md:EntityDescriptor>` contains `<md:SPSSODescriptor>` it SHOULD contain an `<mdui:DisplayName>` element, `<mdui:Logo>` elementm an `<mdui:Description>` element with a value in English and an <mdui:PrivacyStatementURL> element. Where the service supports other languages, these values SHOULD be supported for those languages.
* If an `<mdui:Logo>` element is present, the logo MUST be expressed as a Data URI (embedded logo) or an https URL. URLs used for this element MUST be publicly accessible.

## 4. SAML Metadata Signing
Expand Down Expand Up @@ -149,10 +152,12 @@ For more information on how validations and warnings are supported by the eduGAI
* [eduGAIN-VAL] eduGAIN Metadata Validator: https://validator.edugain.org/
* [MDRPI] SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf
* [MDUI] SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
* [RAF] REFEDS Assurance Framework: https://refeds.org/wp-content/uploads/2023/12/RAF-2.0-Final-version.pdf
* [REFEDS-MRPS] REFEDS Metadata Registration Practice Statement Template: https://github.com/REFEDS/MRPS
* [RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14, RFC 2119, March 1997: https://www.ietf.org/rfc/rfc2119.txt
* [SAMLCore] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
* [SAMLMeta] Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0: http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
* [SAMLMetaErrata] http://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf
* [SAMLMetaIoP] SAML V2.0 Metadata Interoperability Profile Version 1.0: http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.pdf
* [Security-Contact] https://refeds.org/metadata/contacttype/security.
* [ShibMD] ShibMetaExt V1.0: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0