Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:checklist [2022/04/04 16:43] – Tag: Revision MDV documentation Silke Meyer | en:checklist [2022/06/14 08:51] – [Certificates] More details... Silke Meyer | ||
---|---|---|---|
Line 13: | Line 13: | ||
Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: | Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: | ||
+ | **current/ | ||
{{: | {{: | ||
+ | |||
+ | **upcoming/ | ||
+ | {{: | ||
* The metadata administration tool can fetch your IdP' | * The metadata administration tool can fetch your IdP' | ||
* Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production. | * Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production. | ||
* Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved. | * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved. | ||
- | * **Display name:** the name of your institution, | ||
- | * **Description: | ||
- | * **Information URL:** Website of the institution, | ||
- | * **Privacy Statement URL:** Add the link to your privacy statement. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. | ||
- | * The **logos** are displayed during Discovery (IdP favicons) resp. on login screens. That is why they have **maximum sizes**. Scale your logos down to fit this size. Logos (big) can have a width of 64 to 240 px and a maximum height of 180 px. Favicons (logo small) have a size of 16 x 16 px. Service Providers do not need a small logo/ | ||
- | * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date! | ||
- | * Have your X.509 **certificate** for SAML-based communication ready. We have an [[en: | ||
- | * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid. | ||
- | * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates. | ||
- | * SSL certificates must not exceed a **validity of 39 months**. | ||
- | * For security reasons, we do no longer accept certificates that were created with a sha1 **signature algorithm**. Here is how you can check this, e.g. with openssl: | ||
- | < | ||
- | openssl x509 -in example.org.crt.pem -noout -text | grep " | ||
- | </ | ||
- | | + | ===== Entity ID ===== |
+ | A unique string that globally distinguishes this entity from all other entities. The Entity ID is an absolute https-scheme URL. The federation participant has to make sure they are entitled to use the domain in the URL. See the [[en: | ||
+ | |||
+ | **Examples: | ||
+ | * IdP: https:// | ||
+ | * SP: https:// | ||
+ | |||
+ | **Remark:** With Shibboleth IdPs, the Entity ID is configured in '' | ||
+ | |||
+ | **Important: | ||
+ | |||
+ | ===== Display name ===== | ||
+ | The element ''< | ||
+ | |||
+ | ===== Description ===== | ||
+ | A short description for the public DFN-AAI directory and other services extracting human-readable information from federation metadata. Ampersands must be entered as ''& | ||
+ | |||
+ | ===== Information URL ===== | ||
+ | Link to a page containing additional information about the service, resp. - with IdPs - about the organization. | ||
+ | |||
+ | ===== Privacy Statement URL ===== | ||
+ | Link to the privacy statement of the IdP or SP. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. | ||
+ | |||
+ | ===== Logo ===== | ||
+ | Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations: | ||
+ | * < | ||
+ | * Favicons should have a size of 16 x 16 px. | ||
+ | * A transparent background is recommended. | ||
+ | |||
+ | Also see the recommendations in the [[https:// | ||
+ | |||
+ | ===== Help Desk ===== | ||
+ | Contact information of your user help desk for the public DFN-AAI directory (e.g. e-mail address, phone number). | ||
+ | |||
+ | ===== Entity Category ===== | ||
+ | For Entity Categories resp. Entity Attributes please see our [[en: | ||
+ | |||
+ | ===== Entity Category Support ===== | ||
+ | Entity Attribute for an IdP to announce that it transmits all attributes defined in a certain Entity Category to all SPs using that Entity Category. | ||
+ | |||
+ | ===== Contacts ===== | ||
+ | Each entity' | ||
+ | * administrative: | ||
+ | * technical: contact information concerning the operation of the service | ||
+ | * support: contact information for end users | ||
+ | * security: contact information for security incidents. | ||
+ | Also see [[https:// | ||
+ | |||
+ | ===== Scope ===== | ||
+ | Scope of the IdP, mostly the domain of the organization. The organization has to be entitled to use the domain(s). SPs match the transmitted ‚scoped‘ attributes (e.g. eduPersonScopedAffiliation) against this string. See the [[en: | ||
+ | |||
+ | ===== Request Initiator ===== | ||
+ | Service Provider URL that initializes a login process. | ||
+ | |||
+ | ===== Discovery Response ===== | ||
+ | Service Provider URL the initializes IdP discovery. | ||
+ | |||
+ | ===== Certificates ===== | ||
+ | Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Note that every IdP/SP has to publish a certificate **for signing and encryption** of SAML communication. Use can either use the same certificate for both (empty purpose field) or tow different certificates (select the purpose from the drop-down menu). Also see the [[en: | ||
+ | |||
+ | For Service Providers | ||
< | < | ||
openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | ||
Line 39: | Line 89: | ||
TLS Web Client Authentication, | TLS Web Client Authentication, | ||
</ | </ | ||
- | * This is what end points | + | |
+ | ===== Single Logout Services ===== | ||
+ | |||
+ | IdPs and SPs supporting Single Logout Requests have to publish the respective endpoints here. | ||
+ | |||
+ | Example | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | Example for Shibboleth SPs:< | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | ===== Assertion Consumer Services | ||
+ | Endpoints of an SPs Assertion Consumer Service. Examples:< | ||
Binding: urn: | Binding: urn: | ||
Index: 1</ | Index: 1</ | ||
Line 48: | Line 128: | ||
Binding: urn: | Binding: urn: | ||
Index: 4</ | Index: 4</ | ||
+ | |||
+ | ===== Attribute Consuming Service ===== | ||
+ | List of attributes the SP takes. | ||
+ | |||
+ | ===== Artifact Resolution Services ===== | ||
+ | Example:< | ||
+ | Binding: urn: | ||
+ | Index: 1</ | ||
+ | |||
+ | ===== Single Sign On Services ===== | ||
+ | Single Sign On end points of an IdP. Examples:< | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== Attribute Services ===== | ||
+ | IdP end points for Attribute Query via SOAP Requests. Example:< | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== NameID Formats ===== | ||
+ | Supported NameID formats. At least '' | ||
+ | |||
+ | ===== Federations ===== | ||
+ | |||
+ | Here you add your IdP/SP to federations. | ||
+ | If you submit your provider to DFN-AAI-Test or to local metadata, it is automatically added to the according metadata. Submissions for DFN-AAI and DFN-AAI-Basic are first checked by the DFN-AAI team. Admission is granted within a working day, unless the metadata form displays errors. Please fix these errors first! You can only add your IdP/SP to the international federation eduGAIN after it has been accepted to either DFN-AAI or DFN-AAI-Basic. You can find our policies in the [[en: | ||
+ | |||
+ | Information regarding the Degrees of Reliance: | ||
+ | |||
+ | IdP: | ||
+ | * Depending on the criteria your IdP fulfills add it to either DFN-AAI or DFN-AAI-Basic. | ||
+ | * In addition, an IdP can be registered in DFN-AAI-Test and in local metadata. Keeping a productive IdP in the test federation is not recommended. | ||
+ | * | ||
+ | SP: | ||
+ | * Choose the degree of reliance that an IdP (!) must fulfill to grant access to their users. In DFN-AAI only users of the ' | ||
+ | * Additionally, | ||
+ | * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP. | ||
* Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | ||
+ | |||
+ | **current/ | ||
{{: | {{: | ||
+ | |||
+ | **upcoming/ | ||
+ | {{: | ||
+ | |||
* If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. | * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. | ||