Page tree
Skip to end of metadata
Go to start of metadata

Jump to: 

Baseline Expectations 2 approved by InCommon Steering

The InCommon Steering Committee has approved the second set of Baseline Expectations, including three technical requirements aimed at improving security and the user experience. This follows an extensive community collaboration and consultation process.

The InCommon community adopted Baseline Expectations for Trust in Federation in 2018, including a set of common expectations that all participants must meet. The effort concluded successfully in February 2019, when 100 percent of Federation participants met those expectations.

Baseline Expectations 2 (BE2) includes three additional elements that all participants must meet during 2021.

  1. Each Identity Provider and Service Provider will secure its connection endpoints with current and trusted encryption (TLS)
  2. All Identity Providers and Service Providers will comply with the SIRTFI international security response framework
  3. All Identity Providers will include an error URL in metadata

Key Documents

Additions in Baseline Expectations 2

STATEMENT: All Identity Providers (IdP) and Service Providers (SP) service endpoints must be secured with current and community-trusted transport layer encryption. 

When registering an entity (IdP or SP) in InCommon, all connection endpoints of that entity must be an https URL. The applied transport layer security protocol and associated cipher must be current and trusted by the community. 

Popular security testing software such as the Qualys SSL Lab Server test offers a convenient way to test your server against these criteria and identify weaknesses. If using the Qualys SSL Lab Server test, an overall rating of A or better is considered meeting the requirements of the InCommon Baseline Expectations.

MORE: Clarification - Encrypt Entity Service Endpoints

STATEMENT: All entities (IdP and SP) meet the requirements of the SIRTFI v1.0 trust framework when handling security incidents involving federation participants

The SIRTFI trust framework v1.0 enables standardized and timely security incident response coordination among federation participants. When signaling and responding to security incidents within the federation, entity operators shall adhere to the process defined in the Sirtfi framework.

MORE: Clarification - Entity Complies with SIRTFI v1.0

STATEMENT: All IdP metadata must include an errorURL; if the condition is appropriate, SPs should use the IdP-supplied errorURL to direct the user to proper support.

IdP entity metadata must include a valid errorURL in its IDPSSODescriptor element.

An errorURL specifies a location to direct a user for problem resolution and additional support in the event a user encounters problems accessing a service. In SAML metadata for an IdP, errorURL is an XML attribute applied to the IDPSSODescriptor element. 

When a service provider is unable to process an authentication assertion from an IdP, it may display within its error message a link to this URL to direct the user back to the IdP for additional assistance.  

MORE: Clarification - IDP Metadata Must Have an Error URL

Schedule

Date
September 8, 2020Consultation begins
September 23, 2020Baseline Expectations 2 Consultation Office Hour (see Office Hour below)
October 19, 2020Consultation closes
November 2, 2020Baseline Expectations 2 approved by InCommon Steering
November 17, 2020Implementation Kick-off, CAMP/ACAMP
November '20 - January '21CTAB contact non-adhering participants
July 2021Transition: new/updated entities must adhere to BE2
December 2021All entities meet BE2; close project