Requirements and Best Practices

The following requirements apply equally to Identity Providers (IdP) and Service Providers (SP)

Formal Criteria

  • To participate in the DFN-AAI, a contractual agreement with the DFN-Verein is required. To request the contract documents, see registration. The type of contractual agreement depends on the type of participation in the DFN-AAI:
    • Home Organisations / IdP operators: DFN-AAI is a value-added service (DFNInternet at least I02), DFN Framework Agreement and DFN-AAI Service Agreement are required. The latter also contains clauses covering SP operation.
    • Service Provider / SP operator: SP agreement (English) - free of charge, no further requirements
  • Registration of the IdP/SP Metadata

Technical and Organizational Criteria

  • Support of the SAML 2 Standard (in future alternatively OpenID Connect, date will be announced). The use of self-implementations is strongly discouraged. Instead, IdP/SP software should be used for which long-term support and further development by the community is guaranteed, e.g. Shibboleth or SimpleSAMLphp. DFN-Verein is a member of the Shibboleth Consortium and offers support, workshops and trainings for this software.
    • must be downloaded at least once a day
    • the signature of the metadata must be validated against the currently valid certificate provided by the DFN-AAI
  • Operational Safety
    • The software implemented must be kept up-to-date and security updates/patches must be applied in a timely manner
    • When registering the SP/IdP metadata, a contact for security issues must be provided
  • Certificates for SAML-based communication
    • The SAML software used must allow for seamless key rollover when changing the key material. Information and further notes can be found under Certificates.
  • Other
  • The participant must have an operational Identity Management system (IdM) that at least meets the requirements of the Degree of Reliance 'Basic'. User and groups for which these requirements are not met must be excluded from using the DFN-AAI.
  • An Identity Provider should be able to produce the most important attributes. These attributes must be encoded in standard-compliant encoding (urn:oid) when transmitted to Service Providers (if required for the provision of the respective service and permissible under data protection law)
  • The signature of an Authentication Request sent by an SP must be validated against the corresponding certificate, which has been stored for this SP in the Federation Metadata
  • If a certificate with use=“encryption” is stored in the Federation Metadata for an IdP, the IdP must be able to decrypt encrypted SAML messages of an SP (usually Logout Requests) using this certificate.
  • A Service Provider must be able to receive and process common attributes in standard-compliant encoding. (urn:oid).
  • The attributes required for the provision of the service must be declared in the Federation Metadata
  • A Service Provider must be able to implement attribute-based authorization unless all identities available via an IdP are allowed to access the resources in question. It should be noted that usually not only members of a Home Organisation can authenticate themselves via an IdP, but also every identity listed in this institution's IdM. These can also be guests, alumni or users of a city library, for instance.
  • Since Shibboleth IdPs encrypt assertions by default, it is strongly recommended to use SP implementations that are able to decrypt encrypted assertions.
  • The XML signature of data sent by an IdP must be validated against the corresponding certificate stored in the Federation Metadata for the IdP in question. This applies both to the signed SAML Response and the SAML Assertion (part of the Response, signed on a case-by-case basis).
  • Provisioning and Deprovisioning
    • Local, i.e. SP-side user accounts and profiles must be created using attributes transmitted by the Identity Providers of the participating Home Organisations. Provisioning of user data via other channels (e.g. CSV files, Active Directory) is not permitted
    • Appropriate procedures shall be implemented for deprovisioning/deleting such local user accounts. These may include automatic deletion/deactivation of a user's account after a certain period of inactivity or deprovisioning via SAML Attribute Query.
  • Single Logout
    • Both IdP and SP implementations should support the Single Logout Profile
    • If possible, the session of an application protected by an SP should be linked to the SP session. See about this under Single Logout.
  • In the sense of maximum, also international interoperability (eduGAIN) it is recommended to implement the current version of the SAML2 Interoperability Profile (saml2int) in the best possible way. For deviating, DFN-AAI-specific certificate policies, please refer to Certificates.
  • Last modified: 10 months ago