The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

At the November TAC F2F, we discussed having a matrix of best practices by which to evaluate registered sites to help set expectations and create peer pressure. This is a preliminary set of suggested criteria.

Policy

Technical Basics

  • Metadata Consumption
    • refresh metadata daily
    • verify the XML signature
    • check the expiration date
  • X.509 Certificates in Metadata
    • use of self-signed certificates with 2048-bit keys
    • no unexpired certificates in metadata
    • controlled migration of keys
  • User Interface Elements in IdP/SP Metadata
  • Requested Attributes in SP Metadata
  • SAML V2.0 Support
    • IdPs MUST include a TLS-protected endpoint that supports the SAML V2.0 HTTP-Redirect binding
    • IdPs MUST support the urn:oasis:names:tc:SAML:2.0:nameid-format:transient name identifier format
    • SPs that support SAML V2.0 should indicate so in metadata (be specific)
    • SPs MUST include a TLS-protected endpoint that supports the SAML V2.0 HTTP-POST binding
    • SPs MUST include an encryption key
  • SAML V1.1 Support
    • IdPs MUST include a TLS-protected endpoint that supports the Shibboleth 1.x AuthnRequest protocol
    • IdPs MUST support the urn:mace:shibboleth:1.0:nameIdentifier transient name identifier format
    • SPs MUST include a TLS-protected endpoint that supports the SAML V1.1 Browser/POST profile
  • SAML V2.0 Enhanced Client or Proxy (ECP) Support
    • IdPs MUST include a TLS-protected (question) endpoint that supports the SAML V2.0 SOAP binding
    • SPs MUST include a TLS-protected (question) endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding

Operational Maturity

  • Maintaining Supported Software
  • Operational Compliance with Metadata IOP
  • Federation a "First Order" UI
  • Discovery
    • Choices offered should result in an "acceptable" experience
  • Error Handling
    • Look and Feel
    • Useful Contacts

Maximizing the Federation

  • Documented Attribute Release Process
  • Support for SAML 2.0 "persistent" NameID or eduPersonTargetedID
  • Release of "basic" attributes w/o admin involvement (via consent or otherwise)

Parked Items

  • Keys of less than a certain age
    • We should consider what, if any, age is actually "too old"
  • Full saml2int conformance
  • InCommon Implementation Profile conformance
    • Could identify "exceptions to conformance" to highlight specific missing capabilities or could break profile into separate features in the matrix

Meeting Notes

Meeting Notes - April 21, 2011

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels