Differences

This shows you the differences between two versions of the page.

--- en:checklist [2021/07/20 09:28] – clickable email Silke Meyer
+++ en:checklist [2023/03/21 13:07] (current) – Tagged "needs-update" Silke Meyer
@@ Line 1: / Line 1: @@
-FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)//
+====== Check list for publishing metadata ======
-====== How to fill in Metadata? ======
 <callout color="#ff9900" title="Access to the metadata administration tool">
@@ Line 13: / Line 11: @@
 Please have a look at the valid version of the [[en:normative_documents|Metadata Registration Practice Statements]].
-Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below.
+Before submitting a new IdP/SP to the federation, please make sure you have filled in the form as described below - that is: before you activate a federation with this radio button:
-Bitte beherzigen Sie die Punkte dieser Checkliste, bevor Sie Ihren neuen IdP/SP in die Produktivföderation aufnehmen, bevor Sie also diesen Radio-Button klicken:
-{{:en:metadata_admin_tool:no-federation.png?600|}}
+{{:en:metadata_admin_tool:no-federation-newmdv.png?800|}}
-  * Wenn beim Auslesen der Metadaten eines neuen IdP die Fehlermeldung **unable to open file** erscheint, dann liefert Ihr Webserver nicht die komplette Zertifikatskette aus. Bitte lesen Sie unter [[https://doku.tid.dfn.de/de:certificates#einrichtung_der_vollstaendigen_zertifikatskette_auf_dem_webserver | Einrichtung der vollständigen Zertifikatskette auf dem Webserver]] nach und korrigieren Sie dies zunächst.
+  * Fill in all fields. If you see **warnings** correct them before submitting the IdP/SP to production.
-  * Füllen Sie möglichst alle Felder aus. Wenn rote Warnungen auftauchen, beheben Sie sie zuerst.
+  * Use host name resp. URLs that can be resolved from outside your network. Systems with internal top level domains cannot be saved.
-  * Verwenden Sie nur Hostnames bzw. URLs, die von außen auflösbar sind. Hausinterne Top-Level-Domains lassen sich nicht speichern.
-  * Displayname: der Name Ihrer Einrichtung, Institution oder Firma
-  * Beschreibung: Kurzbeschreibung, z.B. "Identity Provider der Universität XY"
-  * Information URL: Website der Einrichtung, Institution oder Firma
-  * **Privacy Statement URL**: Hinterlegen Sie hier den Link zu Ihrer **Datenschutzerklärung**. Das Feld ist **für Service Provider Pflicht**. Wenn Sie nur eine deutschsprachige Datenschutzerklärung haben, können Sie das Feld "Privacy Statement URL (englisch)" leer lassen und umgekehrt.
-  * Die **Logos** werden im Discovery Service (Favicons der IdPs) bzw. in Loginmasken eingeblendet. Deshalb haben sie fest definierte Größen bzw. **Maximalgrößen**. Skalieren Sie Ihre Logos so, dass sie dort hineinpassen. Die Logos (groß) sind zwischen 64 und 240 Pixel breit und max. 180 Pixel hoch sein. Die Favicons (Logo klein) sind 16 mal 16 Pixel groß. Für Service Provider wird //kein// kleines Logo/Favicon benötigt. Für die Teilnahme in [[de:edugain|eduGAIN]] **muss** ein funktionierender Logo URL hnterlegt sein.
-  * Für jedes System werden mindestens 4 **Kontaktadressen** hinterlegt: Administrativer Kontakt, technischer Kontakt, Supportkontakt und Sicherheitskontakt. Grundsätzlich sollten hier Funktionsadressen angegeben werden, insbesondere beim Sicherheitskontakt (z.B. die Ihres CERTs). Wenn Ihre Einrichtung bzw. Firma nicht über eine solche Stelle verfügt, verwenden Sie die Adresse derjenigen, die bei Sicherheitsvorfällen ansprechbar sind. Achten Sie bitte darauf, dass die in der Metadatenverwaltung hinterlegten E-Mail-Adressen aktuell gehalten werden!
-  * Halten Sie Ihr X.509-Zertifikat für die SAML-basierte Kommunikation bereit. Die vollständigen Informationen zu diesen Zertifikaten finden Sie hier: [[https://doku.tid.dfn.de/de:certificates|https://doku.tid.dfn.de/de:certificates]]. Das Wichtigste in Kürze:
-      * IdPs verwenden Zertifikate der DFN-PKI.
-      * SPs dürfen DFN-PKI-Zertifikate (falls berechtigt), Zertifikate einer etablierten kommerziellen CA oder selbstsignierte Zertifikate verwenden.
-      * Die SSL-Zertifikate dürfen eine **Gültigkeit von 39 Monaten** nicht überschreiten.
-      * CA-Zertifikate, die mit dem **Signaturalgorithmus** sha1 erstellt wurden, akzeptieren wir aus Sicherheitsgründen nicht mehr (gilt nicht für selbst-signierte Zertifikate). So können Sie dies am Beispiel von openssl prüfen:
-<code>
+===== Entity ID =====
-openssl x509 -in example.org.crt.pem -noout -text | grep "Signature Algorithm" | uniq
+A unique string that globally distinguishes this entity from all other entities. The Entity ID is an absolute https-scheme URL. The federation participant has to make sure they are entitled to use the domain in the URL. See the [[en:normative_documents|Metadata Registration Practice Statement]] for details.
-</code>
-  * Für Service Provider, optional: Falls der betreffende SP Attribute Queries und Artifact Queries ausführen können soll, sollten SP-Zertifikate mit dem **Client-Attribut** ausgestattet sein. Bei der DFN-PKI sorgt das Profil "Shibboleth-IdP/-SP" dafür, dass es dabei ist. Wenn Sie nicht die DFN-PKI nutzen, können Sie sich an der [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|Dokumentation unserer Schweizer Kolleg*innen]] orientieren. Wenn Sie keine Attribute Queries und Artifact Queries brauchen, dann deaktivieren Sie bitte dieses Feature in der SP-Konfiguration. Beim Shibboleth SP muss das Element <AttributeResolver type="Query"> auszukommentiert und shibd erneut gestartet werden. Außerdem sollten Sie den Binding URL für Artifact Resolution Services sowie alle SOAP-Bindings (Logout) entfernen. So überprüfen Sie Ihr SP-Zertifikat am Beispiel von openssl:
+**Examples:**
+  * IdP: https://idp.example.org/idp/shibboleth
+  * SP: https://sp.example.org/shibboleth
+**Remark:** With Shibboleth IdPs, the Entity ID is configured in ''./conf/idp.properties'', with Shibboleth SPs in ''/etc/shibboleth/shibboleth2.xml''.
+**Important: You cannot change an Entity ID in this form!** Doing so results in a copy of the whole entry being created. The old entity stays unless you explicitly delete it.
+===== Display name =====
+The element ''<mdui:DisplayName>'' contains a human-readable name of the service. Identity Providers' display names are shown in the selection menu of discovery services. Service Providers' display names are displayed on an IdP's login page and in the user consent dialogue. Ampersands must be entered as ''&amp;'' !
+===== Description =====
+A short description for the public DFN-AAI directory and other services extracting human-readable information from federation metadata. Ampersands must be entered as ''&amp;'' !
+===== Information URL =====
+Link to a page containing additional information about the service, resp. - with IdPs - about the organization.
+===== Privacy Statement URL =====
+Link to the privacy statement of the IdP or SP. **For Service Providers the field is mandatory.** If you only have a privacy statement in either English or German you can leave the second field blank.
+===== Logo =====
+Link to the logo and favicon if the organization resp. the service provider. An IdP favicon is displayed in the selection menu of discovery services. An SP logo is shown on IdP‘s login pages. SP metadata do not require a favicon. Requirements and recommendations:
+  * New logos and favicons must be uploaded to and served by the metadata administration tool. Logos should be 64 to 240 px wide and 48 to 180 px high.
+  * Favicons should have a size of 16 x 16 px.
+  * A transparent background is recommended.
+Also see the recommendations in the [[https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2578448519/IdPMDUIRecommendations|Shibboleth Wiki]].
+===== Help Desk =====
+Contact information of your user help desk for the public DFN-AAI directory (e.g. e-mail address, phone number).
+===== Entity Category =====
+For Entity Categories resp. Entity Attributes please see our [[en:entity_attributes|Documentation]].
+===== Entity Category Support =====
+Entity Attribute for an IdP to announce that it transmits all attributes defined in a certain Entity Category to all SPs using that Entity Category.
+===== Contacts =====
+Each entity's metadata should provide contact information for the following roles. If possible, it should not be personal e-mail addresses.
+  * administrative: contact information for administrative issues
+  * technical: contact information concerning the operation of the service
+  * support: contact information for end users
+  * security: contact information for security incidents.
+Also see [[https://wiki.refeds.org/display/SIRTFI/Choosing+a+Sirtfi+Contact|Choosing a Sirtfi Contact]].
+===== Scope =====
+Scope of the IdP, mostly the domain of the organization. The organization has to be entitled to use the domain(s). SPs match the transmitted ‚scoped‘ attributes (e.g. eduPersonScopedAffiliation) against this string. See the [[en:normative_documents|Metadata Registration Practice Statement]] for details.
+===== Request Initiator =====
+Service Provider URL that initializes a login process.
+===== Discovery Response =====
+Service Provider URL the initializes IdP discovery.
+===== Certificates =====
+Enter the certificates used to sign resp. encrypt the SAML communication (in pem format). Check the certificate details before hitting the save button. Note that every IdP/SP has to publish a certificate **for signing and encryption** of SAML communication. Use can either use the same certificate for both (empty purpose field) or tow different certificates (select the purpose from the drop-down menu). Also see the [[en:certificates|detailed information about certificates]], certificate rollover, and certificate chains.
+For Service Providers (optional): If you need your SP to execute **Attribute Queries or Artifact Queries**, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
 <code>
 openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage"
@@ Line 45: / Line 85: @@
 </code>
-  * Nehmen Sie Ihr System in die **Testföderation** DFN-AAI-Test auf. Nutzen Sie unsere [[de:functionaltest|öffentlichen Testsysteme]], um zu schauen, ob erfolgreich Attribute übertragen werden.
+===== Single Logout Services =====
-{{:de:metadata_admin_tool:test-de.png?600|}}
+IdPs and SPs supporting Single Logout Requests have to publish the respective endpoints here.
+Example for Shibboleth IdPs:<code>https://idp.example.org/idp/profile/SAML2/Redirect/SLO
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+https://idp.example.org/idp/profile/SAML2/POST/SLO
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SLO
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
+https://idp.example.org:8443/idp/profile/SAML2/SOAP/SLO
+urn:oasis:names:tc:SAML:2.0:bindings:SOAP</code>
+Example for Shibboleth SPs:<code>https://sp.example.org/Shibboleth.sso/SLO/SOAP
+urn:oasis:names:tc:SAML:2.0:bindings:SOAP
+https://sp.example.org/Shibboleth.sso/SLO/Redirect
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+https://sp.example.org/Shibboleth.sso/SLO/POST
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+https://sp.example.org/Shibboleth.sso/SLO/Artifact
+urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact</code>
+===== Assertion Consumer Services =====
+Endpoints of an SPs Assertion Consumer Service. Examples:<code>Location: https://example.org:8443/Shibboleth.sso/SAML2/POST
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+Index: 1</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/POST-SimpleSign
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
+Index: 2</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/Artifact
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
+Index: 3</code><code>Location: https://example.org:8443/Shibboleth.sso/SAML2/ECP
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:PAOS
+Index: 4</code>
+===== Attribute Consuming Service =====
+List of attributes the SP takes.
+===== Artifact Resolution Services =====
+Example:<code>Location: https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:SOAP
+Index: 1</code>
+===== Single Sign On Services =====
+Single Sign On end points of an IdP. Examples:<code>Location: https://idp.example.org/idp/profile/SAML2/POST/SSO
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+Location: https://idp.example.org/idp/profile/SAML2/POST-Simple-Sign/SSO
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-Simple-Sign
+Location: https://idp.example.org/idp/profile/SAML2/Redirect/SSO
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</code>
+===== Attribute Services =====
+IdP end points for Attribute Query via SOAP Requests. Example:<code>
+Location: https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery
+Binding: urn:oasis:names:tc:SAML:2.0:bindings:SOAP</code>
+===== NameID Formats =====
+Supported NameID formats. At least ''urn:oasis:names:tc:SAML:2.0:nameid-format:transient'' should be selected. It is active in default installations and is needed for logout to work. Other formats should only be selected if they were explicitly activated in the configuration.
+===== Federations =====
+Here you add your IdP/SP to federations.
+If you submit your provider to DFN-AAI-Test or to local metadata, it is automatically added to the according metadata. Submissions for DFN-AAI and DFN-AAI-Basic are first checked by the DFN-AAI team. Admission is granted within a working day, unless the metadata form displays errors. Please fix these errors first! You can only add your IdP/SP to the international federation eduGAIN after it has been accepted to either DFN-AAI or DFN-AAI-Basic. You can find our policies in the [[en:join|documentation]]
+Information regarding the Degrees of Reliance:
+IdP:
+  * Depending on the criteria your IdP fulfills add it to either DFN-AAI or DFN-AAI-Basic.
+  * In addition, an IdP can be registered in DFN-AAI-Test and in local metadata. Keeping a productive IdP in the test federation is not recommended.
+  *
+SP:
+  * Choose the degree of reliance that an IdP (!) must fulfill to grant access to their users. In DFN-AAI only users of the 'Advanced' degree of reliance can access the SP. In DFN-AAI-Basic the users of all IdPs in the federation can access it.
+  * Additionally, the SP can be registered in DFN-AAI-Test. A productive SP should not be in the test federation to prevent logins from test IdPs.
+  * Local metadata can only be selected if neither DFN-AAI nor DFN-AAI-Basic is selected. The option is available for organizations that have signed an IdP contract with us and have registered at least an IdP.
+  * Put your new system into our **test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly.
+{{:en:metadata_admin_tool:test-en-newmdv.png?800|}}
-  * Wenn das klappt, beantragen Sie die Aufnahme in die Produktivföderation.
+  * If it does, submit a request to join DFN-AAI. A ticket is then opened on our side and you will hear from us.
-{{:de:metadata_admin_tool:in-bearbeitung.png?600|}}
+{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
+{{tag>needs-update}}

needs-update