Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:metadata_admin_tool:checklist [2019/02/13 17:15] Silke Meyeren:metadata_admin_tool:checklist [2019/07/10 14:26] Wolfgang Pempe
Line 1: Line 1:
 ====== Check List for Publishing Metadata ====== ====== Check List for Publishing Metadata ======
 +Please refer also to the [[https://www.aai.dfn.de/fileadmin/documents/mrps_dfn-aai_1.0.pdf|Metadata Registration Practice Statement]]
 +
 Please take the following hints into account before submitting your new IdP or SP to DFN-AAI: Please take the following hints into account before submitting your new IdP or SP to DFN-AAI:
  
Line 5: Line 7:
 {{:en:metadata_admin_tool:no-federation.png?600|}} {{:en:metadata_admin_tool:no-federation.png?600|}}
  
 +  * If reading your new system's metadata fails with the error **unable to open file** your web server does not respond with the full certificate chain. Please check your configuration first ([[https://doku.tid.dfn.de/en:certificates#the_ssl_certificate_chain_on_your_webserver|find help here]]).
   * If possible, please fill in all fields. Correct your data when you see red warning messages.   * If possible, please fill in all fields. Correct your data when you see red warning messages.
   * Display Name: the name of your organization, institution or company   * Display Name: the name of your organization, institution or company
Line 21: Line 24:
 </code> </code>
  
-  * For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, pleae deactivate the feature in your SP. With a Shibboleth SP you'd have to comment the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attributes set with openssl:+  * For Service Providers: If you need your SP to execute Attribute Queries or Artifact Queries, your SP certificate should have the client attribute set. If you request your certificate from DFN-PKI, please use the template called "Shibboleth IdP/-SP". If you do not use DFN-PKI certificates, have a look at [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|our Swiss colleagues' documentation]]. If you do not need any Attribute/Artifact Queries, please deactivate the feature in your SP. With a Shibboleth SP you'd have to remove the element <AttributeResolver type="Query"> and to restart shibd. Moreover, you should remove the Binding URL for Artifact Resolution Services and all SOAP Bindings (Logout). Here is how you check if your certificate has the client attribute set with openssl:
 <code> <code>
 openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage" openssl x509 -in example.org.crt.pem -noout -text | grep -A 1 "X509v3 Extended Key Usage"
Line 28: Line 31:
 </code> </code>
  
-  * Put your new system into our ** test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems to check if the transfer of attributes works correctly.+  * Put your new system into our ** test federation** DFN-AAI-Test. Use our [[en:functionaltest|public test systems]] to check if the transfer of attributes works correctly.
 {{:en:metadata_admin_tool:test-en.png?600|}} {{:en:metadata_admin_tool:test-en.png?600|}}
   * If it does, submit a request to join DFN-AAI.   * If it does, submit a request to join DFN-AAI.