Differences

This shows you the differences between two versions of the page.

--- en:metadata_admin_tool:checklist [2019/02/13 17:13] – Silke Meyer
+++ en:metadata_admin_tool:checklist [2019/02/13 17:17] – Silke Meyer
@@ Line 13: / Line 13: @@
   * Please submit at least four **contacts** per system: An administrative contact, a technical one, a support contact and a security contact. We recommend to use non-personalized email addresses, especially for the security contact which could be your Computer Emergency Response Team. If you do not have anything like that, put in the contact that responds in case of security incidents. Please make sure to keep those email addresses up to date!
   * Have your X.509 certificate for SAML-based communication ready. We have an [[en:certificates|information page about certificates]]. The most important items are:
-    * IdP use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid.
+    * IdPs use DFN-PKI certificates. As of July 2019, only the **second generation of DFN-PKI certificates** will be valid.
-    * SPs can use DFN-PKI certificates (if entitled to do so), certificates issued by established commercial CAs, or self-signed certificates.
+    * SPs can use DFN-PKI certificates (if entitled), certificates issued by established commercial CAs, or self-signed certificates.
     * SSL certificates must not exceed a **validity of 39 months**.
     * For security reasons, we do no longer accept certificates that were created with a sha1 **signature algorithm**. Here is how you can check this, e.g. with openssl:
@@ Line 21: / Line 21: @@
 </code>
-  * For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, pleae deactivate the feature in your SP. With a Shibboleth SP you'd have to comment the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attributes set with openssl:
+  * For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
 <code>
 openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage"
@@ Line 28: / Line 28: @@
 </code>
-  * Put your new system into our ** test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems to check if the transfer of attributes works correctly.
+  * Put your new system into our ** test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly.
 {{:en:metadata_admin_tool:test-en.png?600|}}
   * If it does, submit a request to join DFN-AAI.