Versions Compared

Old Version 23

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user James Babb (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated for v9 of the MDA

...

Info
titleBasic Metadata Import Policy

Global metadata is imported directly into the main production aggregate.

The For the v9 deployment of the metadata aggregator (released 2019-03-20), the following import rules have been will be implemented (in order):

  1. Filter Silently remove all imported entities with XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Entities so marked must come from primary sources only..
  2. Remove (and log the removal of) the following XML elements (not entities):
    1. <mdui:Logo> elements (not entities) with a URL that is not HTTPS-protected
  3. Silently remove the following XML elements (not entities):
    1. all MDUI metadata (e.g., mdui:UIInfo elements) within AttributeAuthority roles.
    2. all entity attributes on the Entity Attribute Blacklist (see subsection below).
    3. all extended XML elements and attributes defined in namespaces not on the XML Namespace Whitelist (see subsection below).
  4. Remove (and log the removal of) all imported entities matching one or more of the following conditions:
    1. Entities
    Filter all entities
    1. with an entityID that does not begin with one of the following prefixes:
    “http
    1. http://”,
    “https
    1. https://”,
    “urn
    1. urn:
    mace”
  5. Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
  6. Filter all <mdui:Logo> elements (not entities) with a URL that is not HTTPS-protected.
  7. Filter all imported entities with weak keys
    1. mace
    2. Entities with weak keys (which includes all keys less than 2048-bits in length)

      1. The use of weak keys in metadata has security and privacy implications.
      2. There are no weak keys in InCommon metadata and so we'd like to keep it that way.
    Filter all imported Filter all imported
    1. IdP entities with a faulty <shibmd:Scope> element<shibmd:Scope
        Disallow
        1. Require regexp attribute on <shibmd:Scope>
        2. Values which do not represent a permissible scope:
          1. regexp="false" scope values must:
            1. be syntactically valid domain names (for example, they may not be empty or contain white space), and
            2. must represent domains under a "public suffix" such as .com or .edu listed in the public suffix list
          1. regexp="true"
        >
    2. Filter all imported IdP entities with an endpoint location that is not HTTPS-protected
          1.  scope values must:
            1. not be empty or include white space, and
            2. must end with:
              1. an escaped dot ('\.'),
              2. followed by a "literal tail", which must:
                1. consist of at least two domain labels (e.g., "example", "edu") separated by encoded dots ('\.'),
                2. which when the encoded dots are decoded represents a domain name under a "public suffix" such as .com or .edu listed in the public suffix list
              3. followed by a '$' anchor
      1. IdP entities that do not have a
      SAML2 SingleSignOnService endpoint
      1. SAML2 SingleSignOnService endpoint that supports
      the HTTP
      1. the HTTP-Redirect binding.
        1. In effect, all imported IdPs must support SAML2.
      Filter all imported
      1. SP entities that do not have at least one
      SAML2 AssertionConsumerService endpoint
      1. SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
        1. In effect, all imported SPs must support SAML2.
      2. Entities containing literal CR characters.
      3. Entities containing misplaced or duplicated EntityAttributes elements.
      4. Entities containing XML failing schema validation.
      5. Entities that do not conform to the SAML v2.0 Metadata Profile for Algorithm Support Version 1.0
      6. Entities that do not follow standard rules regarding Binding values on protocol endpoints in metadata
      7. Entities that do not conform to the SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0
      8. Entities that do not conform to the Identity Provider Discovery Service Protocol and Profile
      9. Entities that do not conform to the Service Provider Request Initiation Protocol and Profile Version 1.0
      10. Entities that do not conform to the SAML V2.0 Metadata Interoperability Profile
      11. Entities that do not conform to the SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0
      12. Entities that do not conform to the SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0
      13. Entities that do not conform to the REFEDS Research and Scholarship Entity Category
      14. Entities that do not conform to the REFEDS SIRTFI specification
      15. Entities that do not conform to the SAML V2.0 Metadata specification
      16. SP entities with an endpoint location that is not HTTPS-protected
      17. Entities that do not conform to the ADFS Metadata Profile
      18. Entities that have inconsistent metadata for SAML 1.x support
      19. Entities that have errors in their RequestedAttributes elements
    4. Silently remove all imported entities that have the same entityID as Filter all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
      1. This happens because some SPs choose to join multiple federations.
      2. Dozens of global SPs are filtered by this rule.

    A number of additional rules are applied to ensure metadata correctness. Some common minor errors are corrected but entities failing checks such as XML schema validity are removed.

    Log all of the following:

    ...

    :

    ...

    View the

    ...

    published import filter logs

    • entities filtered by an import rule
    • entities removed for lack of schema validity
    • entities modified in any way

    Entity Attribute

    ...

    Blacklist

    Name

    Value

    http://macedir.org/entity-categoryhttp://id.incommon.org/category/registered-by-incommon
    http://macedir.org/entity-category

    ...

    http://

    ...

    id.incommon.org/category/research-and-scholarship

    ...

    ...

    http://macedir.org/entity-category-support

    ...

    http://

    ...

    id.incommon.org/category/research-and-scholarship

    ...

    urn:oasis:names:tc:SAML:attribute:assurance-certification
    http://

    ...

    id.incommon.org

    ...

    /assurance/bronze
    urn:oasis:names:tc:SAML:attribute:assurance-certificationhttp://id.incommon.org/assurance/silver

    XML Namespace Whitelist

    Namespace

    Prefix

    urn:oasis:names:tc:SAML:metadata:algsupportalg
    http://

    ...

    www.w3.org/2000/

    ...

    09/xmldsig#ds
    urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browserhoksso
    http://id.incommon.org/metadataicmd
    urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocolidpdisc
    urn:oasis:names:tc:SAML:profiles:SSO:request-initinit
    urn:oasis:names:tc:SAML:2.0:metadatamd
    urn:oasis:names:tc:SAML:metadata:attributemdattr
    urn:oasis:names:tc:SAML:metadata:rpimdrpi
    urn:oasis:names:tc:SAML:metadata:uimdui
    http://refeds.org/metadataremd
    urn:oasis:names:tc:SAML:2.0:assertionsaml
    urn:mace:shibboleth:metadata:1.0shibmd
    http://www.w3.org/2001/04/xmlenc#xenc
    http://www.w3.org/XML/1998/namespacexml
    http://www.w3.org/2001/XMLSchema-instancexsi

    Metadata Export Policy

    ...

    Metadata Export Policy

    ...

    Basic Metadata Export Policy

    InCommon Operations refreshes

    ...

    the export aggregate

    ...

     daily, in conjunction with the daily metadata-signing process.

    1. IdPs are exported by default (but may choose to opt out)
    2. SPs actively opt in

    ...

    1.  to the export process

     InCommon Operations reserves the right to prevent any entity from being exported.

    The following export rules have been implemented:

    1. Filter all entities not having XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
      1. Only entities registered by InCommon will be exported.
    2. Filter the legacy incommon.org R&S entity attribute value from exported SP entity metadata:
      1. http://id.incommon.org/category/research-and-scholarship
      2. This legacy attribute value remains legacy attribute value remains in SP metadata for backwards compatibility only. We intend to completely remove this attribute value from SP metadata in the future.
      3. This legacy attribute value has legacy attribute value has nothing to do with R&S interoperability outside of the InCommon Federation.
    3. Filter SAML1-only entities:
      1. An SP entity not having at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding will will not be  be exported.
      2. An IdP entity not having a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding will will not be exported. be exported.

    Extension schema required for exported metadata

    Namespace

    Prefix

    http://id.incommon.org/metadataicmd
    http://refeds.org/metadataremd
    http://www.w3.org/2000/09/xmldsig#ds
    http://www.w3.org/2001/XMLSchema-instancexsi
    http://www.w3.org/XML/1998/namespacexml
    urn:mace:shibboleth:metadata:1.0shibmd
    urn:oasis:names:tc:SAML:2.0:assertionsaml
    urn:oasis:names:tc:SAML:2.0:metadatamd
    urn:oasis:names:tc:SAML:metadata:attributemdattr
    urn:oasis:names:tc:SAML:metadata:rpimdrpi
    urn:oasis:names:tc:SAML:metadata:uimdui
    urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocolidpdisc