Versions Compared

Old Version 7

changes.mady.by.user Nicole Roy

Saved on

compared with

New Version Current

changes.mady.by.user Nicole Roy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document translates the Baseline Expectations described in [TI.34.1] into an initial set of requirements for InCommon metadata.

...


Baseline Expectation

Metadata Requirements

Other Requirements

“The IdP is operated with organizational-level authority”

N/A

Federation Manager Application:

  • Review web UI for consistency with Baseline Expectations (terminology, grouping/layout of controls, etc.)

  • Add references to Baseline Expectations with links to appropriate documentation

“The IdP is trusted enough to be used to access the organization’s own systems”

N/A

Federation Manager Application:

  • Review web UI for consistency with Baseline Expectations (terminology, grouping/layout of controls, etc.)

  • Add references to Baseline Expectations with links to appropriate documentation

“Generally-accepted security practices are applied to the IdP”

REQUIRED:

  • SSL certificates on endpoints are in place

SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf.  Results of these scans may be saved by and acted upon by InCommon operations at its discretion.

“Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL”

REQUIRED:

  • Entity includes at least one "technical" contact with a valid email address

  • Entity includes at least one "administrative" contact with a valid email address

  • Entity includes at least one "security" contact with a valid email address

  • Entity includes a valid DisplayName

  • Entity includes a valid HTTPS Logo URL

  • Entity includes a valid PrivacyStatementURL


RECOMMENDED:

  • IDPSSODescriptor includes a valid errorURL attribute

Logo and privacy policy URL subject to the following test conditions:

REQUIRED:

  • Results in a ‘200’ based on an HTTP GET

RECOMMENDED:

  • Returns a PNG image with the MIME type image/png
  • Is 80 pixels in width by 60 pixels in height
  •  Has a transparent background


Service Providers


Expectation

Metadata Requirements

Other Requirements

“Controls are in place to reasonably secure information and maintain user privacy”

N/A

Federation Manager Application:

  • Review web UI for consistency with Baseline Expectations (terminology, grouping/layout of controls, etc.)

  • Add references to Baseline Expectations with links to appropriate documentation

“Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose”

N/A

Federation Manager Application:

  • Review web UI for consistency with Baseline Expectations (terminology, grouping/layout of controls, etc.)

  • Add references to Baseline Expectations with links to appropriate documentation

“Generally-accepted security practices are applied to the SP”

RECOMMENDED:

  • SSL certificates on endpoints are in place

SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf.  Results of these scans may be saved by and acted upon by InCommon operations at its discretion.

“Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL”

REQUIRED:

  • Entity includes at least one "technical" contact with a valid email address

  • Entity includes at least one "administrative" contact with a valid email address

  • Entity includes at least one "security" contact with a valid email address

  • Entity includes a valid DisplayName

  • Entity includes a valid HTTPS Logo URL

  • Entity includes a valid PrivacyStatementURL


RECOMMENDED:

  • SP endpoints do not use unencrypted http

Logo and privacy URL subject to the following test conditions:

REQUIRED:

  • Results in a ‘200’ based on an HTTP GET

RECOMMENDED:

  • Returns a base64-encoded PNG with the MIME type image/png
  • Is 80 pixels in width by 60 pixels in height
  •  Has a transparent background

“Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly”

N/A

Federation Manager Application:

  • Review web UI for consistency with Baseline Expectations (terminology, grouping/layout of controls, etc.)

  • Add references to Baseline Expectations with links to appropriate documentation


...


Entity Type(s)

Requirement

Current Mechanism(s)

Future Mechanism(s)

IdP, SP

Entity includes a valid DisplayName

FM

MD health check,
FM input validation

IdP, SP

Entity includes at least one "technical" contact with a valid email address (contact may be a person, group or list - group or list recommended)

FM

MD health check,
FM input validation,

Email deliverability check

IdP, SP

Entity includes at least one "administrative" contact with a valid email address (contact may be a person, group or list - group or list recommended)

Manual (IdPs),
None (Others)

MD health check,
FM input validation,
Email deliverability check

IdP, SP

Entity includes at least one "security" contact with a valid email address (contact may be a person, group or list - group or list recommended)

Manual (SIRTFI entities),
None (Others)

MD health check,
FM input validation,
Email deliverability check

IdP, SP

Entity includes a valid HTTPS Logo URL

Manual (IdPs),
None (Others)

MD health check,
FM input validation,

Logo URL subject to the following test conditions:

 

  • Results in a ‘200’ based on an HTTP GET
    • Returns a base64-encoded PNG with the MIME type image/png

  • Is 80 pixels in width by 60 pixels in height
  •  Has a transparent background

    •  

    IdP, SP

    Entity includes a valid PrivacyStatementURL

    Manual

    MD health check,
    FM input validation,
    HTTP check

    IdP

    SSL certificates on endpoints are in place

    Manual

    FM input validation,

    SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf.  Results of these scans may be saved by and acted upon by InCommon operations at its discretion.

    SPSSL certificates on endpoints are in placeNoneSSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf.  Results of these scans may be saved by and acted upon by InCommon operations at its discretion.

    IdP

    IDPSSODescriptor includes a valid errorURL attribute

    Manual (IdPs),
    None (Others)

    MD health check,
    FM input validation,
    HTTP check

    SP

    SP endpoints do not use unencrypted http

    None

    MD health check,
    FM input validation


    ...