Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revisionBoth sides next revision | ||
en:checklist [2021/07/20 09:25] – created Silke Meyer | en:checklist [2022/04/05 15:11] – [Federations] translation complete Silke Meyer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)// | + | ====== |
- | + | ||
- | ====== | + | |
<callout color="# | <callout color="# | ||
- | New metadata admins can be designated by the administrative or technical contacts who signed the contract with us (see the contract details in Metadata Admin tool). They can send us an e-mail to hotline@aai.dfn.de, | + | New metadata admins can be designated by the administrative or technical contacts who signed the contract with us (see the contract details in Metadata Admin tool). They can send us an e-mail to [[hotline@aai.dfn.de]], containing the following contact details for each new metadata admin: |
* full name, | * full name, | ||
* e-mail address and | * e-mail address and | ||
Line 13: | Line 11: | ||
Please have a look at the valid version of the [[en: | Please have a look at the valid version of the [[en: | ||
- | Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below. | + | Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: |
- | Bitte beherzigen Sie die Punkte dieser Checkliste, bevor Sie Ihren neuen IdP/SP in die Produktivföderation aufnehmen, bevor Sie also diesen Radio-Button klicken: | + | |
{{: | {{: | ||
- | * Wenn beim Auslesen der Metadaten eines neuen IdP die Fehlermeldung | + | * The metadata administration tool can fetch your IdP' |
- | * Füllen Sie möglichst alle Felder aus. Wenn rote Warnungen auftauchen, beheben Sie sie zuerst. | + | * Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production. |
- | * Verwenden Sie nur Hostnames bzw. URLs, die von außen auflösbar sind. Hausinterne Top-Level-Domains lassen sich nicht speichern. | + | * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved. |
- | * Displayname: | + | |
- | * Beschreibung: | + | |
- | * Information URL: Website der Einrichtung, | + | |
- | * **Privacy Statement URL**: Hinterlegen Sie hier den Link zu Ihrer **Datenschutzerklärung**. Das Feld ist **für Service Provider Pflicht**. Wenn Sie nur eine deutschsprachige Datenschutzerklärung haben, können Sie das Feld " | + | |
- | * Die **Logos** werden im Discovery Service (Favicons der IdPs) bzw. in Loginmasken eingeblendet. Deshalb haben sie fest definierte Größen bzw. **Maximalgrößen**. Skalieren Sie Ihre Logos so, dass sie dort hineinpassen. Die Logos (groß) sind zwischen 64 und 240 Pixel breit und max. 180 Pixel hoch sein. Die Favicons (Logo klein) sind 16 mal 16 Pixel groß. Für Service Provider wird //kein// kleines Logo/ | + | |
- | * Für jedes System werden mindestens 4 **Kontaktadressen** hinterlegt: Administrativer Kontakt, technischer Kontakt, Supportkontakt und Sicherheitskontakt. Grundsätzlich sollten hier Funktionsadressen angegeben werden, insbesondere beim Sicherheitskontakt (z.B. die Ihres CERTs). Wenn Ihre Einrichtung bzw. Firma nicht über eine solche Stelle verfügt, verwenden Sie die Adresse derjenigen, die bei Sicherheitsvorfällen ansprechbar sind. Achten Sie bitte darauf, dass die in der Metadatenverwaltung hinterlegten E-Mail-Adressen aktuell gehalten werden! | + | |
- | * Halten Sie Ihr X.509-Zertifikat für die SAML-basierte Kommunikation bereit. Die vollständigen Informationen zu diesen Zertifikaten finden Sie hier: [[https:// | + | |
- | * IdPs verwenden Zertifikate der DFN-PKI. | + | |
- | * SPs dürfen DFN-PKI-Zertifikate (falls berechtigt), | + | |
- | * Die SSL-Zertifikate dürfen eine **Gültigkeit von 39 Monaten** nicht überschreiten. | + | |
- | * CA-Zertifikate, | + | |
- | < | + | ===== Entity ID ===== |
- | openssl x509 -in example.org.crt.pem -noout -text | grep " | + | A unique string that globally distinguishes this entity from all other entities. The Entity ID is an absolute https-scheme URL. The federation participant has to make sure they are entitled to use the domain |
- | </ | + | |
- | | + | **Examples:** |
+ | | ||
+ | * SP: https://sp.example.org/ | ||
+ | **Remark:** With Shibboleth IdPs, the Entity ID is configured in '' | ||
+ | |||
+ | **Important: | ||
+ | |||
+ | ===== Display name ===== | ||
+ | The element ''< | ||
+ | |||
+ | ===== Description ===== | ||
+ | A short description for the public DFN-AAI directory and other services extracting human-readable information from federation metadata. Ampersands must be entered as ''& | ||
+ | |||
+ | ===== Information URL ===== | ||
+ | Link to a page containing additional information about the service, resp. - with IdPs - about the organization. | ||
+ | |||
+ | ===== Privacy Statement URL ===== | ||
+ | Link to the privacy statement of the IdP or SP. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. | ||
+ | |||
+ | ===== Logo ===== | ||
+ | Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations: | ||
+ | * < | ||
+ | * Favicons should have a size of 16 x 16 px. | ||
+ | * A transparent background is recommended. | ||
+ | |||
+ | Also see the recommendations in the [[https:// | ||
+ | |||
+ | ===== Help Desk ===== | ||
+ | Contact information of your user help desk for the public DFN-AAI directory (e.g. e-mail address, phone number). | ||
+ | |||
+ | ===== Entity Category ===== | ||
+ | For Entity Categories resp. Entity Attributes please see our [[en: | ||
+ | |||
+ | ===== Entity Category Support ===== | ||
+ | Entity Attribute for an IdP to announce that it transmits all attributes defined in a certain Entity Category to all SPs using that Entity Category. | ||
+ | |||
+ | ===== Contacts ===== | ||
+ | Each entity' | ||
+ | * administrative: | ||
+ | * technical: contact information concerning the operation of the service | ||
+ | * support: contact information for end users | ||
+ | * security: contact information for security incidents. | ||
+ | Also see [[https:// | ||
+ | |||
+ | ===== Scope ===== | ||
+ | Scope of the IdP, mostly the domain of the organization. The organization has to be entitled to use the domain(s). SPs match the transmitted ‚scoped‘ attributes (e.g. eduPersonScopedAffiliation) against this string. See the [[en: | ||
+ | |||
+ | ===== Request Initiator ===== | ||
+ | Service Provider URL that initializes a login process. | ||
+ | |||
+ | ===== Discovery Response ===== | ||
+ | Service Provider URL the initializes IdP discovery. | ||
+ | |||
+ | ===== Certificates ===== | ||
+ | Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Also see the [[en: | ||
+ | |||
+ | For Service Providers (optional): If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called " | ||
< | < | ||
openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | ||
Line 45: | Line 86: | ||
</ | </ | ||
- | * Nehmen Sie Ihr System | + | ===== Single Logout Services ===== |
- | {{: | + | |
+ | IdPs and SPs supporting Single Logout Requests have to publish the respective endpoints here. | ||
+ | |||
+ | Example for Shibboleth IdPs:< | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | Example for Shibboleth SPs:< | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | ===== Assertion Consumer Services ===== | ||
+ | Endpoints of an SPs Assertion Consumer Service. Examples:< | ||
+ | Binding: urn: | ||
+ | Index: 1</ | ||
+ | Binding: urn: | ||
+ | Index: 2</ | ||
+ | Binding: urn: | ||
+ | Index: 3</ | ||
+ | Binding: urn: | ||
+ | Index: 4</ | ||
+ | |||
+ | ===== Attribute Consuming Service ===== | ||
+ | List of attributes the SP takes. | ||
+ | |||
+ | ===== Artifact Resolution Services ===== | ||
+ | Example:< | ||
+ | Binding: urn: | ||
+ | Index: 1</ | ||
+ | |||
+ | ===== Single Sign On Services ===== | ||
+ | Single Sign On end points of an IdP. Examples:< | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== Attribute Services ===== | ||
+ | IdP end points for Attribute Query via SOAP Requests. Example:< | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== NameID Formats ===== | ||
+ | Supported NameID formats. At least '' | ||
+ | |||
+ | ===== Federations ===== | ||
+ | |||
+ | Here you add your IdP/SP to federations. | ||
+ | If you submit your provider to DFN-AAI-Test | ||
+ | |||
+ | Information regarding the Degrees of Reliance: | ||
- | | + | IdP: |
+ | | ||
+ | * In addition, an IdP can be registered | ||
+ | * | ||
+ | SP: | ||
+ | * Choose the degree of reliance that an IdP (!) must fulfill to grant access to their users. In DFN-AAI only users of the ' | ||
+ | * Additionally, | ||
+ | * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP. | ||
+ | * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | ||
+ | {{: | ||
+ | * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. | ||
- | {{:de: | + | {{:en: |
+ | {{tag> |