Versions Compared

Old Version 1

changes.mady.by.user Steve Olshansky

Saved on

compared with

New Version Current

changes.mady.by.user Steve Olshansky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Editor:  Leif Johansson
Contributors:  Scott Cantor, Ian Young, RL "Bob" Morgan, Nate Klingenstein

0. Introduction

Wiki MarkupSAML metadata \ [saml-metadata-2.0-os.pdf\] has proven very useful in large-scale heterogeneous SAML deployments, providing a basis for shared trust and configuration management.    This document proposes a profile for management of SAML metadata to extend its utility.    Benefits of deploying this profile are:

  • easy discovery of published metadata based on EntityID
  • simple runtime entity key management 
  • support for trust communities and reputation services

...

1. Metadata contents requirements

Wiki MarkupEntity identifiers \ [TBD\] MUST be valid URLs using either the http or https schemes. The Name attribute of an EntitiesDescriptor element SHOULD be a valid URL using either the http or https schemes.

In the case of an https:-scheme URL, the metadata consumer MUST ignore any failures detected while validating the certificate chain of the TLS connection. Trust in metadata is conveyed using signatures on the metadata rather than through the transport by which the metadata was retrieved.

...

Any metadata role supporting encryption MUST contain at least one applicable KeyDescriptor containing one or more public keys, either in the form of RSAKeyValue elements or contained within X.509 certificates included as X509Data elements.  In the case of X.509 certificates, the metadata consumer ignores all components of the certificate other than the public key.unmigrated-wiki-markup

KeyName elements MAY be included to help in identifying keys. \ [NOTE - isn't this a repeat of what SAMLMeta already says?\]

Entities (eg an SP or IdP) SHOULD support generation of self-signed certificates (or keys) unless another set of certificates or keys was explicitly provided. Metadata producers SHOULD allow the choice of a single key or separate keys for singing and encryption to be configured.

...

2.1.1 Per Entity Publishing

Wiki MarkupAn HTTP GET-request to the EntityID URL MUST return SAML metadata \ [saml-metadata-2.0-os.pdf\] for the entity encoded as the <TBD> mime-type.

2.1.2 Aggregated Publishing

Wiki MarkupAn HTTP GET-request to the URL in the Name attribute of the EntitiesDescriptor element MUST return SAML metadata \ [saml-metadata-2.0-os.pdf\] for the entity encoded as the <TBD> mime-type.

2.2 Metadata Trust

A metadata consumer MUST establish trust in the metadata by validating the signature on the metadata, regardless of how it was obtained (eg as an aggregate or as metadata for a single entity). Care should be taken not to introduce unnecessary complication into the metadata signature validation process.

...