Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:checklist [2022/04/05 13:23] – started to revise content Silke Meyer | en:checklist [2022/05/23 16:59] – [Federations] added screenshot for new metadata admin tool Silke Meyer | ||
---|---|---|---|
Line 13: | Line 13: | ||
Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: | Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: | ||
+ | **current/ | ||
{{: | {{: | ||
+ | |||
+ | **upcoming/ | ||
+ | {{: | ||
* The metadata administration tool can fetch your IdP' | * The metadata administration tool can fetch your IdP' | ||
Line 47: | Line 51: | ||
* Favicons should have a size of 16 x 16 px. | * Favicons should have a size of 16 x 16 px. | ||
* A transparent background is recommended. | * A transparent background is recommended. | ||
- | * | + | |
Also see the recommendations in the [[https:// | Also see the recommendations in the [[https:// | ||
+ | ===== Help Desk ===== | ||
+ | Contact information of your user help desk for the public DFN-AAI directory (e.g. e-mail address, phone number). | ||
- | * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend | + | ===== Entity Category ===== |
- | * Have your X.509 **certificate** for SAML-based communication ready. We have an [[en:certificates|information page about certificates]]. The most important items are: | + | For Entity Categories resp. Entity Attributes please see our [[en:entity_attributes|Documentation]]. |
- | * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation | + | |
- | * SPs can use DFN-PKI certificates | + | ===== Entity Category Support ===== |
- | * SSL certificates must not exceed a **validity of 39 months**. | + | Entity Attribute for an IdP to announce that it transmits all attributes defined in a certain Entity Category to all SPs using that Entity Category. |
- | * For security reasons, we do no longer accept certificates | + | |
- | < | + | ===== Contacts ===== |
- | openssl x509 -in example.org.crt.pem -noout -text | grep " | + | Each entity' |
- | </ | + | * administrative: |
+ | | ||
+ | | ||
+ | | ||
+ | Also see [[https:// | ||
+ | |||
+ | ===== Scope ===== | ||
+ | Scope of the IdP, mostly | ||
+ | |||
+ | ===== Request Initiator ===== | ||
+ | Service Provider URL that initializes | ||
+ | |||
+ | ===== Discovery Response ===== | ||
+ | Service Provider URL the initializes IdP discovery. | ||
+ | |||
+ | ===== Certificates ===== | ||
+ | Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Also see the [[en: | ||
- | * For Service Providers: If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called " | + | For Service Providers |
< | < | ||
openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 " | ||
Line 67: | Line 89: | ||
TLS Web Client Authentication, | TLS Web Client Authentication, | ||
</ | </ | ||
- | * This is what end points | + | |
+ | ===== Single Logout Services ===== | ||
+ | |||
+ | IdPs and SPs supporting Single Logout Requests have to publish the respective endpoints here. | ||
+ | |||
+ | Example | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | Example for Shibboleth SPs:< | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | https:// | ||
+ | urn: | ||
+ | |||
+ | ===== Assertion Consumer Services | ||
+ | Endpoints of an SPs Assertion Consumer Service. Examples:< | ||
Binding: urn: | Binding: urn: | ||
Index: 1</ | Index: 1</ | ||
Line 76: | Line 128: | ||
Binding: urn: | Binding: urn: | ||
Index: 4</ | Index: 4</ | ||
+ | |||
+ | ===== Attribute Consuming Service ===== | ||
+ | List of attributes the SP takes. | ||
+ | |||
+ | ===== Artifact Resolution Services ===== | ||
+ | Example:< | ||
+ | Binding: urn: | ||
+ | Index: 1</ | ||
+ | |||
+ | ===== Single Sign On Services ===== | ||
+ | Single Sign On end points of an IdP. Examples:< | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== Attribute Services ===== | ||
+ | IdP end points for Attribute Query via SOAP Requests. Example:< | ||
+ | Location: https:// | ||
+ | Binding: urn: | ||
+ | |||
+ | ===== NameID Formats ===== | ||
+ | Supported NameID formats. At least '' | ||
+ | |||
+ | ===== Federations ===== | ||
+ | |||
+ | Here you add your IdP/SP to federations. | ||
+ | If you submit your provider to DFN-AAI-Test or to local metadata, it is automatically added to the according metadata. Submissions for DFN-AAI and DFN-AAI-Basic are first checked by the DFN-AAI team. Admission is granted within a working day, unless the metadata form displays errors. Please fix these errors first! You can only add your IdP/SP to the international federation eduGAIN after it has been accepted to either DFN-AAI or DFN-AAI-Basic. You can find our policies in the [[en: | ||
+ | |||
+ | Information regarding the Degrees of Reliance: | ||
+ | |||
+ | IdP: | ||
+ | * Depending on the criteria your IdP fulfills add it to either DFN-AAI or DFN-AAI-Basic. | ||
+ | * In addition, an IdP can be registered in DFN-AAI-Test and in local metadata. Keeping a productive IdP in the test federation is not recommended. | ||
+ | * | ||
+ | SP: | ||
+ | * Choose the degree of reliance that an IdP (!) must fulfill to grant access to their users. In DFN-AAI only users of the ' | ||
+ | * Additionally, | ||
+ | * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP. | ||
* Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en: | ||
+ | |||
+ | **current/ | ||
{{: | {{: | ||
+ | |||
+ | **upcoming/ | ||
+ | {{: | ||
+ | |||
* If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. | * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us. | ||