The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Community Review in progress!

This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org).

A Checklist for New IdPs

Effective federation depends on IdPs that are both interoperable and trustworthy. To this end, a new IdP is expected to satisfy certain requirements. Some of these requirements are operational while other requirements pertain to the IdP's entity descriptor in metadata.

Is your IdP secure and trustworthy?

A trustworthy IdP is the basic building block of an identity federation.

  1. Create and handle your private key safely and securely!
  2. Do not share your signing key with other SAML entities
  3. Sign assertions using:
    1. a strong 2048-bit key
    2. the SHA-256 digest algorithm (which may not be supported by your software)
  4. Protect all IdP endpoints with TLS
  5. Protect the Logo URL with TLS

Protect your private keys!

Safeguarding the IdP’s private keys—especially the IdP signing key—protects all Federation participants from the disastrous consequences of a key compromise.

Is your IdP interoperable?

By definition, an interoperable IdP strives to provide an overall positive federated user experience.

  1. Support SAML2 Web Browser SSO
  2. Publish a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding
  3. Publish long-lived, self-signed certificates in metadata
  4. Publish technical and administrative contacts in metadata
  5. Stabilize the following metadata elements:
    1. entityID
    2. Scope
    3. endpoint locations
    4. certificates
  6. Support at least the following user attributes:
    1. eduPersonPrincipalName (non-reassigned)
    2. eduPersonTargetedID (optional)
    3. mail (== ePPN)
    4. displayName
    5. givenName
    6. sn (surName)
  7. Stabilize the values of persistent identifiers (ePPN and ePTID)
  8. Test and monitor all SAML endpoints 24x7

Is your IdP discoverable?

A discoverable IdP in an interoperable IdP with the following additional properties:

  1. Publish the following [user interface elements] in metadata:
    1. DisplayName
    2. Information URL (optional)
    3. Logo URL
  2. Adopt a measured attribute release process
    1. release a SAML2 NameID (Transient or Persistent) to all SPs
    2. release a [minimal subset of the R&S attribute bundle] to R&S SPs
    3. release public directory information to all SPs
  3. Publish an appropriate error handling URL in metadata
Unknown macro: {div}

Read more about [Discoverable IdPs]

Support R&S

Support the Research & Scholarship Category of services now!

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels