Internet2 is investigating a security incident involving a compromise to a confluence server that affected on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email
Page tree
Skip to end of metadata
Go to start of metadata

Domains in Endpoint Locations

  1. New policy:
    1. All domains in IdP endpoint locations SHOULD be owned by the organization associated with the IdP.
    2. New public doc for review: IdP Endpoint Locations
  2. New procedure (to be implemented):
    1. The InCommon RA will no longer verify domains in endpoint locations in either IdP metadata or SP metadata.
    2. The InCommon RA will continue to verify domains in entityIDs in both IdP metadata and SP metadata.
    3. The InCommon RA will continue to verify Scopes in IdP metadata.
  3. Documentation needed: SP Endpoint Locations

Incident: Multiple Attempts to Publish Metadata on March 10

  1. On Friday, March 10, Ops published three signed aggregates at 4:21 pm, 5:28 pm, and 6:16 pm EST.
    1. The first two published files were identical to the previous day's file and therefore incorrect. The third file was the correct file.
    2. Root Cause: eduGAIN Operations altered the order of entities in the eduGAIN aggregate.
  2. For details, see: Incident Report 2017-03-10

HTTPS-Protected Endpoints

  1. Question: Should all protocol endpoints in metadata be HTTPS-protected?
  2. Current policy: All protocol endpoints in IdP metadata SHALL be HTTPS-protected.
  3. Proposed additional policy: All protocol endpoints in SP metadata SHALL be HTTPS-protected.
  4. For details, see: HTTPS-protected Endpoints


  • No labels