...
This document translates the Baseline Expectations described in [TI.34.1] into an initial set of requirements for InCommon metadata.
...
Baseline Expectation | Metadata Requirements | Other Requirements |
---|---|---|
“The IdP is operated with organizational-level authority” | N/A | Federation Manager Application:
|
“The IdP is trusted enough to be used to access the organization’s own systems” | N/A | Federation Manager Application:
|
“Generally-accepted security practices are applied to the IdP” | REQUIRED:
| SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf. Results of these scans may be saved by and acted upon by InCommon operations at its discretion. |
“Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL” | REQUIRED:
RECOMMENDED:
| Logo and privacy policy URL subject to the following test conditions: REQUIRED:
RECOMMENDED:
|
Service Providers
Expectation | Metadata Requirements | Other Requirements |
---|---|---|
“Controls are in place to reasonably secure information and maintain user privacy” | N/A | Federation Manager Application:
|
“Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose” | N/A | Federation Manager Application:
|
“Generally-accepted security practices are applied to the SP” | RECOMMENDED:
| SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf. Results of these scans may be saved by and acted upon by InCommon operations at its discretion. |
“Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL” | REQUIRED:
RECOMMENDED:
| Logo and privacy URL subject to the following test conditions: REQUIRED:
RECOMMENDED:
|
“Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly” | N/A | Federation Manager Application:
|
...
Entity Type(s) | Requirement | Current Mechanism(s) | Future Mechanism(s) |
---|---|---|---|
IdP, SP | Entity includes a valid DisplayName | FM | MD health check, |
IdP, SP | Entity includes at least one "technical" contact with a valid email address (contact may be a person, group or list - group or list recommended) | FM | MD health check, Email deliverability check |
IdP, SP | Entity includes at least one "administrative" contact with a valid email address (contact may be a person, group or list - group or list recommended) | Manual (IdPs), | MD health check, |
IdP, SP | Entity includes at least one "security" contact with a valid email address (contact may be a person, group or list - group or list recommended) | Manual (SIRTFI entities), | MD health check, |
IdP, SP | Entity includes a valid HTTPS Logo URL | Manual (IdPs), | MD health check, Logo URL subject to the following test conditions:
|
IdP, SP | Entity includes a valid PrivacyStatementURL | Manual | MD health check, |
IdP | SSL certificates on endpoints are in place | Manual | FM input validation, SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf. Results of these scans may be saved by and acted upon by InCommon operations at its discretion. |
SP | SSL certificates on endpoints are in place | None | SSL certificates are subject to quality testing performed by InCommon operations or a service provider on its behalf. Results of these scans may be saved by and acted upon by InCommon operations at its discretion. |
IdP | IDPSSODescriptor includes a valid errorURL attribute | Manual (IdPs), | MD health check, |
SP | SP endpoints do not use unencrypted http | None | MD health check, |
...
[TI.34.1] Baseline Expectations for Trust in Federation, https://spaces.at.internet2.edu/display/BE/Baseline+Expectations+for+Trust+in+Federation?preview=/116458160/116458162/TI.34.1-BaselineExpectations-v1-2016-09-7.pdf