Domains in Endpoint Locations

  1. New policy:
    1. All domains in IdP endpoint locations SHOULD be owned by the organization associated with the IdP.
    2. New public doc for review: IdP Endpoint Locations
  2. New procedure (to be implemented):
    1. The InCommon RA will no longer verify domains in endpoint locations in either IdP metadata or SP metadata.
    2. The InCommon RA will continue to verify domains in entityIDs in both IdP metadata and SP metadata.
    3. The InCommon RA will continue to verify Scopes in IdP metadata.
  3. Documentation needed: SP Endpoint Locations

Incident: Multiple Attempts to Publish Metadata on March 10

  1. On Friday, March 10, Ops published three signed aggregates at 4:21 pm, 5:28 pm, and 6:16 pm EST.
    1. The first two published files were identical to the previous day's file and therefore incorrect. The third file was the correct file.
    2. Root Cause: eduGAIN Operations altered the order of entities in the eduGAIN aggregate.
  2. For details, see: Incident Report 2017-03-10

HTTPS-Protected Endpoints

  1. Question: Should all protocol endpoints in metadata be HTTPS-protected?
  2. Current policy: All protocol endpoints in IdP metadata SHALL be HTTPS-protected.
  3. Proposed additional policy: All protocol endpoints in SP metadata SHALL be HTTPS-protected.
  4. For details, see: HTTPS-protected Endpoints

 

  • No labels