The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Community Review in progress!

This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org).

A Checklist for New IdPs

Basic considerations for New IdPs:

  1. Identify at least two Site Administrators to administer IdP metadata
  2. Refresh and verify metadata at least daily (every hour if possible)
  3. Choose your entityID carefully
    1. a simple, generic name is best
      1. example: https://sso.example.edu/idp
    2. hostname must be rooted in your primary domain (e.g., example.edu)
    3. hostname need not match endpoint locations
  4. Choose your Scope carefully
    1. usually equal to your primary domain
    2. used to construct eduPersonPrincipalName
    3. avoid multiple Scopes in metadata

Is your IdP secure and trustworthy?

  1. Create and handle your private key safely and securely!
  2. Do not share your signing key with other SAML entities
  3. Sign assertions using:
    1. a strong 2048-bit key
    2. the SHA-256 digest algorithm (which may not be supported by your software)
  4. Protect all SAML IdP endpoints with TLS
  5. Protect the Logo URL with TLS

Is your IdP interoperable?

  1. Support SAML2 Web Browser SSO
  2. Publish a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding
  3. Publish long-lived, self-signed certificates in metadata
  4. Publish technical and administrative contacts in metadata
  5. Stabilize the following permanent metadata elements:
    1. entityID
    2. Scope
    3. endpoint locations
    4. certificates
  6. Support at least the following user attributes:
    1. eduPersonPrincipalName (non-reassigned)
    2. eduPersonTargetedID (optional)
    3. mail (== ePPN)
    4. displayName
    5. givenName
    6. sn (surName)
  7. Stabilize the values of persistent identifiers (ePPN and ePTID)
  8. Test and monitor all SAML endpoints 24x7

Is your IdP discoverable?

  1. Publish the following [user interface elements] in metadata:
    1. DisplayName
    2. Information URL (optional)
    3. Logo URL
  2. Publish an appropriate error handling URL in metadata
  3. Adopt a measured attribute release process
    1. release a SAML2 NameID (Transient or Persistent) to all SPs
    2. release the “standard” attribute bundle to all InCommon SPs
      1. especially if this is public directory information
    3. support the Research & Scholarship Category

Recommended protocol support for new IdPs:

  1. Support SAML2 only (do not support SAML1)
  2. Remove the SAML2 AttributeService endpoint
  3. Remove the SAML2 ArtifactResolutionService endpoint
Unknown macro: {div}

Read more...

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels