Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:requirements [2021/03/02 15:27] – [Service Provider] Silke Meyer | en:requirements [2023/01/12 19:41] (current) – [Identity Provider] Wolfgang Pempe | ||
---|---|---|---|
Line 9: | Line 9: | ||
===Formal Criteria=== | ===Formal Criteria=== | ||
* To participate in DFN-AAI, a contractual agreement with the DFN-Verein is required. To request the contract documents, see [[en: | * To participate in DFN-AAI, a contractual agreement with the DFN-Verein is required. To request the contract documents, see [[en: | ||
- | * Home Organisations / IdP operators: DFN-AAI is a value-added service | + | * Home Organisations / IdP operators: DFN-AAI is a value-added service |
* Service Provider / SP operator: SP agreement (English) - free of charge, no further requirements | * Service Provider / SP operator: SP agreement (English) - free of charge, no further requirements | ||
* Registration of the IdP/SP Metadata via our [[https:// | * Registration of the IdP/SP Metadata via our [[https:// | ||
- | * See the [[en: | + | * See the [[en: |
=== Technical and Organizational Criteria=== | === Technical and Organizational Criteria=== | ||
* Support of the [[https:// | * Support of the [[https:// | ||
Line 20: | Line 20: | ||
* Operational Safety | * Operational Safety | ||
* The software implemented must be kept up-to-date and security updates/ | * The software implemented must be kept up-to-date and security updates/ | ||
- | * When [[en: | + | * When [[en: |
* Certificates for SAML-based communication | * Certificates for SAML-based communication | ||
* The SAML software used must allow for seamless key rollover when changing the key material. Information and further notes can be found under [[en: | * The SAML software used must allow for seamless key rollover when changing the key material. Information and further notes can be found under [[en: | ||
+ | * https for Binding URLs | ||
+ | * All endpoints registered in the federation metadata must be secured via TLS | ||
* Other | * Other | ||
* Please follow the further steps listed under [[en: | * Please follow the further steps listed under [[en: | ||
==== Identity Provider ==== | ==== Identity Provider ==== | ||
- | * The participant must have an operational Identity Management system (IdM) that at least meets the requirements of [[en:degrees_of_reliance|the Degree of Reliance]] ' | + | * The participant must have an operational Identity Management system (IdM) and Identity Provider (IdP) that at least meet [[de:aai: |
* An Identity Provider **should** be able to produce the [[de: | * An Identity Provider **should** be able to produce the [[de: | ||
* The signature of an Authentication Request sent by an SP must be validated against the corresponding certificate, | * The signature of an Authentication Request sent by an SP must be validated against the corresponding certificate, | ||
Line 45: | Line 47: | ||
* A Service Provider must be able to receive and process **[[de: | * A Service Provider must be able to receive and process **[[de: | ||
* The attributes required for the provisioning of the service must be **declared in the federation metadata**. | * The attributes required for the provisioning of the service must be **declared in the federation metadata**. | ||
- | * A Service Provider must be able to **download federation metadata regularly** and filter their content per EntityID. | + | * A Service Provider must be able to **download |
* A Service Provider must be able to implement attribute-based authorization unless all identities available via an IdP are allowed to access the resources in question. It should be noted that usually not only members of a Home Organisation can authenticate themselves via an IdP, but also every identity listed in this institution' | * A Service Provider must be able to implement attribute-based authorization unless all identities available via an IdP are allowed to access the resources in question. It should be noted that usually not only members of a Home Organisation can authenticate themselves via an IdP, but also every identity listed in this institution' | ||
* Since Shibboleth IdPs encrypt assertions by default, it is **strongly recommended** to use SP implementations that are able to **decrypt encrypted assertions**. Furthermore, | * Since Shibboleth IdPs encrypt assertions by default, it is **strongly recommended** to use SP implementations that are able to **decrypt encrypted assertions**. Furthermore, | ||
Line 51: | Line 53: | ||
* Provisioning and Deprovisioning | * Provisioning and Deprovisioning | ||
* Local, i.e. SP-side **user accounts and profiles** must be created using attributes transmitted by the Identity Providers of the participating Home Organisations. Provisioning of user data via other channels (e.g. CSV files, Active Directory) is not permitted. | * Local, i.e. SP-side **user accounts and profiles** must be created using attributes transmitted by the Identity Providers of the participating Home Organisations. Provisioning of user data via other channels (e.g. CSV files, Active Directory) is not permitted. | ||
- | * Appropriate procedures shall be implemented for **deprovisioning/ | + | * Appropriate procedures shall be implemented for **deprovisioning/ |
**Why do IdP operators talk about local metadata?** | **Why do IdP operators talk about local metadata?** |