Check list for publishing metadata

Access to the metadata administration tool

New metadata admins can be designated by the administrative or technical contacts who signed the contract with us (see the contract details in Metadata Admin tool). They can send us an e-mail to, containing the following contact details for each new metadata admin:
  • full name,
  • e-mail address and
  • work phone number.

The credentials will be sent directly to the new metadata admins.

Please have a look at the valid version of the Metadata Registration Practice Statements.

Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button:

  • The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying unable to open file, your webserver does not return the full certificate chain. On the certificates page you can read how to correct this.
  • Fill in all fields. If you see red warnings correct them before submitting the IdP/SP to production.
  • Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.
  • Display name: the name of your institution, organization, or company
  • Description: A short description, e.g. “Identity Provider of University XY”
  • Information URL: Website of the institution, organization, or company
  • Privacy Statement URL: Add the link to your privacy statement. For Service Providers the field is mandatory. If you only have a privacy statement in either English or German you can leave the second field blank.
  • The logos are displayed during Discovery (IdP favicons) resp. on login screens. That is why they have maximum sizes. Scale your logos down to fit this size. Logos (big) can have a width of 64 to 240 px and a maximum height of 180 px. Favicons (logo small) have a size of 16 x 16 px. Service Providers do not need a small logo/favicon, just a big one. To participate in eduGAIN (de) a working logo URL must be submitted.
  • Please submit at least four contacts per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date!
  • Have your X.509 certificate for SAML-based communication ready. We have an information page about certificates. The most important items are:
    • IdPs use DFN-PKI certificates. As of July 2019, only the second generation of DFN-PKI certificates will be valid.
    • SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates.
    • SSL certificates must not exceed a validity of 39 months.
    • For security reasons, we do no longer accept certificates that were created with a sha1 signature algorithm. Here is how you can check this, e.g. with openssl:
openssl x509 -in -noout -text | grep "Signature Algorithm" | uniq
  • For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called “Shibboleth IdP/-SP”. If you do not use DFN-PKI certificates, have a look at our Swiss colleagues' documentation. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type=“Query”> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
openssl x509 -in -noout -text | grep -A 1 "X509v3 Extended Key Usage"
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
  • Put your new system into our test federation DFN-AAI-Test. Use our public test systems to check if the transfer of attributes works correctly.

  • If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us.

  • Last modified: 2 months ago