| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| en:checklist [2021/07/20 09:58] – incorporate content from en:metadata_admin_tool:checklist Silke Meyer | en:checklist [2022/04/05 13:23] – started to revise content Silke Meyer |
|---|
| FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)// | ====== Check list for publishing metadata ====== |
| | |
| ====== How to fill in metadata? ====== | |
| |
| <callout color="#ff9900" title="Access to the metadata administration tool"> | <callout color="#ff9900" title="Access to the metadata administration tool"> |
| |
| * The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying **unable to open file**, your webserver does not return the full certificate chain. On the [[en:certificates#the_ssl_certificate_chain_on_your_webserver|certificates page]] you can read how to correct this. | * The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying **unable to open file**, your webserver does not return the full certificate chain. On the [[en:certificates#the_ssl_certificate_chain_on_your_webserver|certificates page]] you can read how to correct this. |
| * Fill in all fields if possible. If you see red warnings correct them before submitting the IdP/SP to production. | * Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production. |
| * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved. | * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved. |
| * Display name: the name of your institution, organization, or company | |
| * Description: A short description, e.g. "Identity Provider of University XY" | ===== Entity ID ===== |
| * Information URL: Website of the institution, organization, or company | A unique string that globally distinguishes this entity from all other entities. The Entity ID is an absolute https-scheme URL. The federation participant has to make sure they are entitled to use the domain in the URL. See the [[en:normative_documents|Metadata Registration Practice Statement]] for details. |
| * **Privacy Statement URL**: Add the link to your privacy statement. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. | |
| * The **logos** are displayed during Discovery (IdP favicons) resp. on login screens. That is why they have **maximum sizes**. Scale your logos down to fit this size. Logos (big) can have a width of 64 to 240 px and a maximum height of 180 px. Favicons (logo small) have a size of 16 x 16 px. Service Providers do not need a small logo/favicon. To participate in [[de:edugain|eduGAIN (de)]] a working logo URL **must** be submitted. | **Examples:** |
| | * IdP: https://idp.example.org/idp/shibboleth |
| | * SP: https://sp.example.org/shibboleth |
| | |
| | **Remark:** With Shibboleth IdPs, the Entity ID is configured in ''./conf/idp.properties'', with Shibboleth SPs in ''/etc/shibboleth/shibboleth2.xml''. |
| | |
| | **Important: You cannot change an Entity ID in this form!** Doing so results in a copy of the whole entry being created. The old entity stays unless you explicitly delete it. |
| | |
| | ===== Display name ===== |
| | The element ''<mdui:DisplayName>'' contains a human-readable name of the service. Identity Providers' display names are shown in the selection menu of discovery services. Service Providers' display names are displayed on an IdP's login page and in the user consent dialogue. Ampersands must be entered as ''&'' ! |
| | |
| | ===== Description ===== |
| | A short description for the public DFN-AAI directory and other services extracting human-readable information from federation metadata. Ampersands must be entered as ''&'' ! |
| | |
| | ===== Information URL ===== |
| | Link to a page containing additional information about the service, resp. - with IdPs - about the organization. |
| | |
| | ===== Privacy Statement URL ===== |
| | Link to the privacy statement of the IdP or SP. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. |
| | |
| | ===== Logo ===== |
| | Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations: |
| | * <del>New logos and favicons must be uploaded to and served by the metadata administration tool.</del> Logos should be 64 to 240 px wide and 48 to 180 px high. |
| | * Favicons should have a size of 16 x 16 px. |
| | * A transparent background is recommended. |
| | * |
| | Also see the recommendations in the [[https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2578448519/IdPMDUIRecommendations|Shibboleth Wiki]]. |
| | |
| * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date! | * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date! |
| * Have your X.509 certificate for SAML-based communication ready. We have an [[en:certificates|information page about certificates]]. The most important items are: | * Have your X.509 **certificate** for SAML-based communication ready. We have an [[en:certificates|information page about certificates]]. The most important items are: |
| * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid. | * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid. |
| * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates. | * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates. |
| </code> | </code> |
| |
| * For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl: | * For Service Providers: If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl: |
| <code> | <code> |
| openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage" | openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage" |
| TLS Web Client Authentication, TLS Web Server Authentication | TLS Web Client Authentication, TLS Web Server Authentication |
| </code> | </code> |
| | * This is what end points for **Assertion Consumer Services** look like for Shibboleth SPs:<code>Location: https://example.org:8443/Shibboleth.sso/SAML2/POST |
| * Put your new system into our ** test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly. | Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| | Index: 1</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/POST-SimpleSign |
| | Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign |
| | Index: 2</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/Artifact |
| | Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact |
| | Index: 3</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/ECP |
| | Binding: urn:oasis:names:tc:SAML:2.0:bindings:PAOS |
| | Index: 4</code> |
| | * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly. |
| {{:en:metadata_admin_tool:test-en.png?600|}} | {{:en:metadata_admin_tool:test-en.png?600|}} |
| * If it does, submit a request to join DFN-AAI. | * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. |
| |
| {{:en:metadata_admin_tool:in-progress.png?600|}} | {{:en:metadata_admin_tool:in-progress.png?600|}} |
| |
| | {{tag>mdvdoku}} |