- Created by Albert Wu (internet2.edu), last modified on May 11, 2020
This page/section needs content clean up and new materials: it's time for community to review this content for currency and accuracy.
The InCommon Federation is by-community, for-community endeavor aimed to streamline cross-organization research and scholarly collaboration. The following recommended practices help all federation participants improve interoperability and streamline implementation and operations while working with federated partners.
Adhere to Baseline Expectations for Trust in Federation
Guidance on Contacts in Metadata
- Include technical, administrative, security, and support contacts in metadata.
- List contacts in metadata as mailing lists, reflectors, or similar mechanisms, rather than specific individuals.
- Refer users encountering attribute release policy issues with a service to their IdP's administrative contact.
Federated Security Incident Response
- Publish federated incident response contact information for your federated services and identity providers.
- Implement a log retention policy for federated services and identity providers.
- Document and advertise your procedure for responding to a federated security incident.
IdP: Support Research and Scholarship information release
See Identity provider - support Research and Scholarship
Research SP: Join the Research and Scholarship entity category
See Research and Scholarship Application Form for Service Providers
Guidance on working with the InCommon metadata
Maintaining complete and accurate information in InCommon metadata is important so systems from other federation participants can best engage with your site's services.
Consuming the InCommon metadata
- Refresh and verify metadata at least daily, and process the metadata in accordance with the Metadata Interoperability Profile standard.
Setting the appropriate scope
- To ensure that scoped attributes are globally unique, a scope in metadata should be a DNS domain controlled by the IdP.
X.509 Certificates in Metadata
See X.509 Certificates in Metadata, particularly:
The certificates registered by a participant contain at least 2048-bit RSA public keys, are self-signed, are not expired, and do not carry revocation-related extensions.
- Certificate migration is performed in a controlled fashion that does not require participants who follow metadata consumption best practices to specially accommodate the change.
- Service providers include and support an encryption key in SP metadata.
SAML Protocol Endpoints
- All endpoints are protected with SSL/TLS.
- All entities support SAML V2.0 Web Browser SSO.
Endpoints in IdP Metadata
- IdPs protect all endpoints with SSL/TLS.
- IdPs support SAML V2.0 Web Browser SSO and (optionally) SAML V1.1 Web Browser SSO.
- IdPs support authentication requests via the SAML V2.0 HTTP-Redirect binding and (optionally) the legacy Shibboleth 1.x AuthnRequest protocol.
- IdPs support SAML V2.0 Enhanced Client or Proxy (ECP) authentication requests from non-browser clients via the SAML V2.0 SOAP binding using either Basic Authentication or TLS Client Authentication.
- IdPs (optionally) support SAML V1.1 attribute queries but do not advertise support for SAML V2.0 attribute queries unless necessary.
Endpoints in SP Metadata
- SPs protect all endpoints with SSL/TLS.
- SPs support SAML V2.0 Web Browser SSO, the SAML V2.0 Identity Provider Discovery Protocol, and the use of XML Encryption.
- SPs support the SAML V2.0 HTTP-POST binding and (optionally) the SAML V1.1 Browser/POST profile.
- SPs (optionally) support the SAML V2.0 Enhanced Client or Proxy profile.
- SPs that support SAML V1.1 Web Browser SSO also support SAML V1.1 attribute queries.
Metadata Discovery User Interface Elements
A site supplies values for each of the user interface elements to maximize the user experience.
Service Provider: Requesting Attributes through Metadata
SPs that seek a wide audience of IdPs without explicit contracts or arrangements ahead of time specify the attributes they need in order to facilitate consent-driven user interfaces.
Maintain Supported Software
See Maintaining Supported Software, particularly:
- Appropriate staff monitor "security" and/or "announce" mailing lists for critical software.
- Software versions are reasonably current and upgraded ahead of "end of life" dates.
Protect Against Failed Metadata Processes
See Protect Against Failed Metadata Processes, particularly:
- Shibboleth IdP
Allocate at least 1500MB of heap space in the JVM
Enable DEBUG-level logging on selected Java classes
User Experience for Federated Sign-In
See Federated User Experience with particular attention to the following.
- A "Login" link is placed in the upper right corner.
- The main application screen is uncluttered by choices of different login mechanisms.
URL-Based Discovery and Deep Linking
- Application resources shared among users from multiple home organizations can access those resources with stable, authentication-neutral URLs.
- Discovery either overlays the application (an embedded or pop-up design), or includes contextual information identifying the service accessed by the user.
- Different login options/mechanisms, including federated IdPs, are presented uniformly to the user.
- Preferred or remembered choices are highlighted, but not automatically chosen (i.e., no automatic "Use this choice next time" behavior).
- Dynamic search via text box is the primary interface for general selection.
- Help and "go back" links are available.
The Boarding Problem
- The choice of IdP is not artificially limited, but left open to selection of any trusted option.
Login at the IdP
- Login pages identify the service requesting authentication.
- Applications use full-frame windows to present the IdP's interface, or at least full "chrome" in the sense of title bars, menus, location bars, etc
- IdPs that seek broad usage provide a mechanism for users to opt-in to the release of personally identifiable information to SPs without prearranged contracts/agreements.
- Consent pages are kept as short and simple as possible. Users are not asked to consent to the release of complex data they're unlikely to understand.
- Error handling is integrated into the look and feel of a site.
- Contact information and reporting procedures are provided that lead to problem resolution.
- Errors resulting from correctable or avoidable user actions are presented in a fashion that leads to self-correction.
Federated Error Handling
- Failures due to access control are handled by directing users to the "administrative" contact of their IdP to assist in resolution.
Maximizing the Federation
Identity Provider Attribute Release Process
See Attribute Release Process, particularly:
- IdPs make common identity attributes (identifiers, displayName, mail) available to educationally useful/non-commercial SPs for significant user populations, either subject to opt-in user consent, or with an opt-out process.
- IdPs document and publish their policies and procedures for the release of attributes. The <PrivacyStatementURL> element should link directly or indirectly to this information.
- An "administrative" contact is documented for each IdP and SP identifying a point of contact for attribute release issues.
Persistent Identifier Support
See Persistent Identifier Support, particularly:
- IdPs support the eduPersonPrincipalName and eduPersonTargetedID attributes.
- When SAML 2.0 is used, the "persistent" <NameID> format is used to represent the eduPersonTargetedID attribute.
- The release of eduPersonTargetedID is automated for most or all affiliates (save perhaps for students opting out under FERPA) to SPs that are not otherwise subject to user anonymity requirements, such as some library services.
In this section
- Attribute Release Process
- Error Handling
- Federated Error Handling
- Federated Security Incident Response
- Federated User Experience
- Maintaining Supported Software
- Participant Operational Practices
- Persistent Identifier Support
- Test IdPs in Metadata
- Protect Against Failed Metadata Processes
Can't find what you are looking for?