Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:checklist [2022/04/05 15:11] – [Federations] translation complete Silke Meyeren:checklist [2023/03/21 13:07] (current) – Tagged "needs-update" Silke Meyer
Line 13: Line 13:
 Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button: Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button:
  
-{{:en:metadata_admin_tool:no-federation.png?600|}}+{{:en:metadata_admin_tool:no-federation-newmdv.png?800|}}
  
-  * The metadata administration tool can fetch your IdP's/SP's metadata from the system. If you get a warning saying **unable to open file**, your webserver does not return the full certificate chain. On the [[en:certificates#the_ssl_certificate_chain_on_your_webserver|certificates page]] you can read how to correct this. +  * Fill in all fields. If you see **warnings** correct them before submitting the IdP/SP to production.
-  * Fill in all fields. If you see **red warnings** correct them before submitting the IdP/SP to production.+
   * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.   * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.
  
Line 44: Line 43:
 ===== Logo ===== ===== Logo =====
 Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations: Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations:
-  * <del>New logos and favicons must be uploaded to and served by the metadata administration tool.</del> Logos should be 64 to 240 px wide and 48 to 180 px high.+  * New logos and favicons must be uploaded to and served by the metadata administration tool. Logos should be 64 to 240 px wide and 48 to 180 px high.
   * Favicons should have a size of 16 x 16 px.   * Favicons should have a size of 16 x 16 px.
   * A transparent background is recommended.   * A transparent background is recommended.
Line 77: Line 76:
  
 ===== Certificates ===== ===== Certificates =====
-Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Also see the [[en:certificates|detailed information about certificates]], certificate rollover, and certificate chains.+Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Note that every IdP/SP has to publish a certificate **for signing and encryption** of SAML communication. Use can either use the same certificate for both (empty purpose field) or tow different certificates (select the purpose from the drop-down menu). Also see the [[en:certificates|detailed information about certificates]], certificate rollover, and certificate chains.
  
 For Service Providers (optional): If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl: For Service Providers (optional): If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
Line 165: Line 164:
   * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP.   * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP.
   * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly.   * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly.
-{{:en:metadata_admin_tool:test-en.png?600|}}+ 
 +{{:en:metadata_admin_tool:test-en-newmdv.png?800|}} 
   * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us.   * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us.
  
-{{:en:metadata_admin_tool:in-progress.png?600|}}+{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
  
-{{tag>mdvdoku}}+{{tag>needs-update}}
  • Last modified: 3 years ago