Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:requirements [2021/07/20 12:00] – updated link to check list Silke Meyer | en:requirements [2023/01/12 19:41] (current) – [Identity Provider] Wolfgang Pempe | ||
---|---|---|---|
Line 9: | Line 9: | ||
===Formal Criteria=== | ===Formal Criteria=== | ||
* To participate in DFN-AAI, a contractual agreement with the DFN-Verein is required. To request the contract documents, see [[en: | * To participate in DFN-AAI, a contractual agreement with the DFN-Verein is required. To request the contract documents, see [[en: | ||
- | * Home Organisations / IdP operators: DFN-AAI is a value-added service | + | * Home Organisations / IdP operators: DFN-AAI is a value-added service |
* Service Provider / SP operator: SP agreement (English) - free of charge, no further requirements | * Service Provider / SP operator: SP agreement (English) - free of charge, no further requirements | ||
* Registration of the IdP/SP Metadata via our [[https:// | * Registration of the IdP/SP Metadata via our [[https:// | ||
Line 20: | Line 20: | ||
* Operational Safety | * Operational Safety | ||
* The software implemented must be kept up-to-date and security updates/ | * The software implemented must be kept up-to-date and security updates/ | ||
- | * When [[en: | + | * When [[en: |
* Certificates for SAML-based communication | * Certificates for SAML-based communication | ||
* The SAML software used must allow for seamless key rollover when changing the key material. Information and further notes can be found under [[en: | * The SAML software used must allow for seamless key rollover when changing the key material. Information and further notes can be found under [[en: | ||
+ | * https for Binding URLs | ||
+ | * All endpoints registered in the federation metadata must be secured via TLS | ||
* Other | * Other | ||
* Please follow the further steps listed under [[en: | * Please follow the further steps listed under [[en: | ||
==== Identity Provider ==== | ==== Identity Provider ==== | ||
- | * The participant must have an operational Identity Management system (IdM) that at least meets the requirements of [[en:degrees_of_reliance|the Degree of Reliance]] ' | + | * The participant must have an operational Identity Management system (IdM) and Identity Provider (IdP) that at least meet [[de:aai: |
* An Identity Provider **should** be able to produce the [[de: | * An Identity Provider **should** be able to produce the [[de: | ||
* The signature of an Authentication Request sent by an SP must be validated against the corresponding certificate, | * The signature of an Authentication Request sent by an SP must be validated against the corresponding certificate, | ||
Line 45: | Line 47: | ||
* A Service Provider must be able to receive and process **[[de: | * A Service Provider must be able to receive and process **[[de: | ||
* The attributes required for the provisioning of the service must be **declared in the federation metadata**. | * The attributes required for the provisioning of the service must be **declared in the federation metadata**. | ||
- | * A Service Provider must be able to **download federation metadata regularly** and filter their content per EntityID. | + | * A Service Provider must be able to **download |
* A Service Provider must be able to implement attribute-based authorization unless all identities available via an IdP are allowed to access the resources in question. It should be noted that usually not only members of a Home Organisation can authenticate themselves via an IdP, but also every identity listed in this institution' | * A Service Provider must be able to implement attribute-based authorization unless all identities available via an IdP are allowed to access the resources in question. It should be noted that usually not only members of a Home Organisation can authenticate themselves via an IdP, but also every identity listed in this institution' | ||
* Since Shibboleth IdPs encrypt assertions by default, it is **strongly recommended** to use SP implementations that are able to **decrypt encrypted assertions**. Furthermore, | * Since Shibboleth IdPs encrypt assertions by default, it is **strongly recommended** to use SP implementations that are able to **decrypt encrypted assertions**. Furthermore, |