The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Metadata Registration Practice Statement

InCommon maintains a registry of organizationally valid SAML metadata. Entity metadata is aggregated, signed, and published daily at well-known HTTP locations.

  1. Registration of an Organization
    1. An organization that wishes to register metadata in the InCommon Federation signs a legal document called the InCommon Participation Agreement.
    2. The official name of the organization is recorded on the Participant Agreement.
    3. The organization name is verified against public information sources by the InCommon Registration Authority.
  2. Registration of Organizational Representatives
    1. Executive
      1. The InCommon Executive for an organization is identified on the Participation Agreement.
      2. Contact information for the Executive (i.e., email address and phone number) is listed in the Participant Agreement.
      3. The contact information for the Executive is verified by the Registration Authority.
    2. Site Administrator
      1. The Executive identifies one or more Site Administrators for the organization.
      2. The contact information (i.e., email address and phone number) for a Site Administrator is verified by the Registration Authority.
      3. Each Site Administrator is issued login credentials for the InCommon Federation Manager, a web application for managing metadata.
    3. Delegated Administrator
      1. A Site Administrator identifies Delegated Administrators for the organization as needed.
      2. The contact information (i.e., email address) for a Delegated Administrator is verified by sending the Delegated Administrator an email invitation to log into the Federation Manager.
      3. A Delegated Administrator logs into the Federation Manager with a federated credential.
  3. Production of Entity Metadata
    1. Supported XML Schema
      1. InCommon metadata is schema-valid with the XML schema listed in the OASIS Security Assertion Markup Language (SAML) V2.0 Metadata specification. (See the official wiki page for the OASIS Security Services (SAML) Technical Committee for links to this specification and its associated schema.)
      2. InCommon metadata also relies on various extension schema:
        1. SAML V2.0 Metadata Extension for Entity Attributes (mdattr:)
        2. SAML V2.0 Metadata Extensions for Login and Discovery User Interface (mdui:)
        3. SAML V2.0 Metadata Extensions for Registration and Publication Information (mdrpi:)
        4. SAML 2.0 Metadata Extensions for Shibboleth (shibmd:)
    2. Registration of Entity Metadata
      1. A Delegated Administrator submits metadata update requests to the Site Administrator via the Federation Manager. A Site Administrator must approve all such metadata update requests.
      2. A Site Administrator submits metadata signing requests to the Federation Operator via the Federation Manager.
      3. The Registration Authority vets and approves all metadata signing requests submitted by the Site Administrator.
    3. Augmentation of Entity Metadata
      1. The FedOp adds an <md:Organization> element to each entity descriptor. The value of <md:OrganizationName> element is the name of the organization shown on the Participation Agreement.
      2. The FedOp adds an <mdrpi:RegistrationInfo> extension element to each entity descriptor. The value of the registrationAuthority XML attribute is "https://incommon.org".
      3. The FedOp adds other elements to qualifying entity descriptors:
        1. entity attributes denoting entity categories (such as R&S)
        2. identity assurance qualifiers
  4. Production of Metadata Aggregate
    1. The FedOp aggregates entity metadata daily, wrapping the entity descriptors in a top-level <md:EntitiesDescriptor> element.
    2. The FedOp adds an expiration date to the metadata aggregate. The value of the validUntil XML attribute on the top-level <md:EntitiesDescriptor> element is a date two (2) weeks into the future.
    3. The FedOp adds an <mdrpi:PublicationInfo> child element to the top-level <md:EntitiesDescriptor> element. The value of the publisher XML attribute is "https://incommon.org".
  5. Metadata Signing and Publication
    1. The InCommon Key Authority signs one or more Metadata Aggregates with a private offline key protected by multiple layers of access control. A rigorous Metadata Signing Process is followed.
    2. The corresponding public key is bound to a Metadata Signing Certificate used by metadata clients to bootstrap a secure metadata refresh process.
    3. Once the metadata aggregates are signed, they are published to a public Metadata Server.

admin@incommon.org

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels