Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:checklist [2021/07/20 09:44] – partly translated Silke Meyeren:checklist [2021/07/20 11:58] – replaces en:metadata_admin_tool:checklist, correctly recognized translation page Silke Meyer
Line 1: Line 1:
-FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)// +====== Check list for publishing metadata ======
- +
-====== How to fill in metadata======+
  
 <callout color="#ff9900" title="Access to the metadata administration tool"> <callout color="#ff9900" title="Access to the metadata administration tool">
Line 18: Line 16:
  
   * The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying **unable to open file**, your webserver does not return the full certificate chain. On the [[en:certificates#the_ssl_certificate_chain_on_your_webserver|certificates page]] you can read how to correct this.   * The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying **unable to open file**, your webserver does not return the full certificate chain. On the [[en:certificates#the_ssl_certificate_chain_on_your_webserver|certificates page]] you can read how to correct this.
-  * Fill in all fields if possible. If you see red warnings correct them before submitting the IdP/SP to production.+  * Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production.
   * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.   * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.
-  * Display name: the name of your institution, organization, or company +  * **Display name:** the name of your institution, organization, or company 
-  * Description: A short description, e.g. "Identity Provider of University XY" +  * **Description:** A short description, e.g. "Identity Provider of University XY" 
-  * Information URL: Website of the institution, organization, or company +  * **Information URL:** Website of the institution, organization, or company 
-  * **Privacy Statement URL**Add the link to your privacy statement. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. +  * **Privacy Statement URL:** Add the link to your privacy statement. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank. 
-  * The **logos** are displayed during Discovery (IdP favicons) resp. on login screens. That is why they have **maximum sizes**. Scale your logos down to fit this size. Logos (big) can have a width of 64 to 240 px and a maximum height of 180 px. Favicons (logo small) have a size of 16 x 16 px. Service Providers do not need a small logo/favicon. To participate in [[de:edugain|eduGAIN (de)]] a working logo URL **must** be submitted. +  * The **logos** are displayed during Discovery (IdP favicons) resp. on login screens. That is why they have **maximum sizes**. Scale your logos down to fit this size. Logos (big) can have a width of 64 to 240 px and a maximum height of 180 px. Favicons (logo small) have a size of 16 x 16 px. Service Providers do not need a small logo/favicon, just a big one. To participate in [[de:edugain|eduGAIN (de)]] a working logo URL **must** be submitted. 
- +  * Please submit at least four **contacts** per systemAn administrative contacta technical onea support contact and a security contactWe recommend to use non-personalized email addressesespecially for the security contact which could be your Computer Emergency Response TeamIf you do not have anything like thatput in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date
-  * Für jedes System werden mindestens 4 **Kontaktadressen** hinterlegtAdministrativer Kontakttechnischer KontaktSupportkontakt und SicherheitskontaktGrundsätzlich sollten hier Funktionsadressen angegeben werdeninsbesondere beim Sicherheitskontakt (z.Bdie Ihres CERTs). Wenn Ihre Einrichtung bzw. Firma nicht über eine solche Stelle verfügtverwenden Sie die Adresse derjenigen, die bei Sicherheitsvorfällen ansprechbar sind. Achten Sie bitte darauf, dass die in der Metadatenverwaltung hinterlegten E-Mail-Adressen aktuell gehalten werden!  +  * Have your X.509 **certificate** for SAML-based communication readyWe have an [[en:certificates|information page about certificates]]. The most important items are
-  * Halten Sie Ihr X.509-Zertifikat für die SAML-basierte Kommunikation bereitDie vollständigen Informationen zu diesen Zertifikaten finden Sie hier: [[https://doku.tid.dfn.de/de:certificates|https://doku.tid.dfn.de/de:certificates]]. Das Wichtigste in Kürze+    * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid
-      * IdPs verwenden Zertifikate der DFN-PKI. +    * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates
-      * SPs dürfen DFN-PKI-Zertifikate (falls berechtigt), Zertifikate einer etablierten kommerziellen CA oder selbstsignierte Zertifikate verwenden+    * SSL certificates must not exceed a **validity of 39 months**. 
-      Die SSL-Zertifikate dürfen eine **Gültigkeit von 39 Monaten** nicht überschreiten+    For security reasonswe do no longer accept certificates that were created with a sha1 **signature algorithm**. Here is how you can check thise.g. with openssl:
-      CA-Zertifikatedie mit dem **Signaturalgorithmus** sha1 erstellt wurdenakzeptieren wir aus Sicherheitsgründen nicht mehr (gilt nicht für selbst-signierte Zertifikate)So können Sie dies am Beispiel von openssl prüfen: +
 <code> <code>
 openssl x509 -in example.org.crt.pem -noout -text | grep "Signature Algorithm" | uniq openssl x509 -in example.org.crt.pem -noout -text | grep "Signature Algorithm" | uniq
 </code> </code>
  
-  * Für Service Provider, optionalFalls der betreffende SP Attribute Queries und Artifact Queries ausführen können sollsollten SP-Zertifikate mit dem **Client-Attribut** ausgestattet seinBei der DFN-PKI sorgt das Profil "Shibboleth-IdP/-SP" dafür, dass es dabei istWenn Sie nicht die DFN-PKI nutzenkönnen Sie sich an der [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|Dokumentation unserer Schweizer Kolleg*innen]] orientierenWenn Sie keine Attribute Queries und Artifact Queries brauchendann deaktivieren Sie bitte dieses Feature in der SP-KonfigurationBeim Shibboleth SP muss das Element <AttributeResolver type="Query"> auszukommentiert und shibd erneut gestartet werdenAußerdem sollten Sie den Binding URL für Artifact Resolution Services sowie alle SOAP-Bindings (Logout) entfernenSo überprüfen Sie Ihr SP-Zertifikat am Beispiel von openssl: +  * For Service ProvidersIf you need your SP to execute **Attribute Queries or Artifact Queries**your SP certificate should have the client attribute setIf you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP"If you do not use DFN-PKI certificateshave a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
 <code> <code>
 openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage" openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage"
Line 45: Line 40:
 </code> </code>
  
-  * Nehmen Sie Ihr System in die **Testföderation** DFN-AAI-Test aufNutzen Sie unsere [[de:functionaltest|öffentlichen Testsysteme]], um zu schauen, ob erfolgreich Attribute übertragen werden+  * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly
-{{:de:metadata_admin_tool:test-de.png?600|}} +{{:en:metadata_admin_tool:test-en.png?600|}} 
- +  * If it doessubmit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us.
-  * Wenn das klapptbeantragen Sie die Aufnahme in die Produktivföderation.+
  
-{{:de:metadata_admin_tool:in-bearbeitung.png?600|}}+{{:en:metadata_admin_tool:in-progress.png?600|}}
  
  • Last modified: 13 months ago