Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:checklist [2022/04/05 13:23] – started to revise content Silke Meyer | en:checklist [2022/04/05 14:11] – Most parts are translated Silke Meyer | ||
---|---|---|---|
Line 47: | Line 47: | ||
* Favicons should have a size of 16 x 16 px. | * Favicons should have a size of 16 x 16 px. | ||
* A transparent background is recommended. | * A transparent background is recommended. | ||
- | * | + | |
Also see the recommendations in the [[https:// | Also see the recommendations in the [[https:// | ||
+ | ===== Help Desk ===== | ||
+ | Contact information of your user help desk for the public DFN-AAI directory (e.g. e-mail address, phone number). | ||
- | * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date! | + | ===== Entity Category ===== |
- | * Have your X.509 **certificate** for SAML-based communication ready. We have an [[en:certificates|information page about certificates]]. The most important items are: | + | For Entity Categories resp. Entity Attributes please see our [[en:entity_attributes|Documentation]]. |
- | * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid. | + | |
- | * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates. | + | |
- | * SSL certificates must not exceed a **validity of 39 months**. | + | |
- | * For security reasons, we do no longer accept certificates that were created with a sha1 **signature algorithm**. Here is how you can check this, e.g. with openssl: | + | |
- | < | + | |
- | openssl x509 -in example.org.crt.pem -noout -text | grep " | + | |
- | </ | + | |
- | | + | ===== Entity Category Support ===== |
+ | Entity Attribute for an IdP to announce that it transmits all attributes defined in a certain Entity Category to all SPs using that Entity Category. | ||
+ | |||
+ | ===== Contacts ===== | ||
+ | Each entity' | ||
+ | | ||
+ | * technical: contact information concerning the operation of the service | ||
+ | * support: contact information for end users | ||
+ | * security: contact information for security incidents. | ||
+ | Also see [[https:// | ||
+ | |||
+ | ===== Scope ===== | ||
+ | Scope of the IdP, mostly the domain of the organization. The organization has to be entitled to use the domain(s). SPs match the transmitted ‚scoped‘ attributes (e.g. eduPersonScopedAffiliation) against this string. See the [[en: | ||
+ | |||
+ | ===== Request Initiator ===== | ||
+ | Service Provider URL that initializes a login process. | ||
+ | |||
+ | ===== Discovery Response ===== | ||
+ | Service Provider URL the initializes IdP discovery. | ||
+ | |||
+ | ===== Certificates ===== | ||
+ | Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Also see the [[en: | ||
+ | |||
+ | For Service Providers | ||
< | < | ||
openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | ||
Line 67: | Line 85: | ||
TLS Web Client Authentication, | TLS Web Client Authentication, | ||
</ | </ | ||
- | * This is what end points | + | |
+ | ===== Single Logout Services ===== | ||
+ | |||
+ | IdPs and SPs supporting Single Logout Requests have to publish the respective endpoints here. | ||
+ | |||
+ | Example | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | Example for Shibboleth SPs:< | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | ===== Assertion Consumer Services | ||
+ | Endpoints of an SPs Assertion Consumer Service. Examples:< | ||
Binding: urn: | Binding: urn: | ||
Index: 1</ | Index: 1</ | ||
Line 76: | Line 124: | ||
Binding: urn: | Binding: urn: | ||
Index: 4</ | Index: 4</ | ||
+ | |||
+ | ===== Attribute Consuming Service ===== | ||
+ | List of attributes the SP takes. | ||
+ | |||
+ | ===== Artifact Resolution Services ===== | ||
+ | Example:< | ||
+ | Binding: urn: | ||
+ | Index: 1</ | ||
+ | |||
+ | ===== Single Sign On Services ===== | ||
+ | Single Sign On end points of an IdP. Examples:< | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== Attribute Services ===== | ||
+ | IdP end points for Attribute Query via SOAP Requests. Example:< | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== NameID Formats ===== | ||
+ | Supported NameID formats. At least '' | ||
+ | |||
+ | ===== Federations ===== | ||
+ | |||
+ | |||
* Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | ||
{{: | {{: |