The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Is your SAML deployment ready for eduGAIN?

Depending on your answers to the following questions, your SAML deployment may be at-risk. Your action may be required.

IdP Software Issues

Are you running the Shibboleth Identity Provider software?

Shibboleth IdP deployers are strongly advised to allocate at least 1024MB of heap space in the JVM to Protect Against Failed Metadata Processes.

Are you running Shibboleth Identity Provider V2?

Shibboleth IdP V2 deployments earlier than V2.4.5 are susceptible to a logging issue that masks an error message when the JVM runs out of memory. For more info: Protect Against Failed Metadata Processes

Are you running Shibboleth Identity Provider V3?

Shibboleth IdP V3 deployments earlier than V3.2.0 are susceptible to a logging issue that masks an error message when the JVM runs out of memory. For more info: Protect Against Failed Metadata Processes

Are you running the simpleSAMLphp software?

All simpleSAMLphp deployments earlier than 1.13.2 are susceptible to performance issues when processing large metadata files. For more info: Protect Against Failed Metadata Processes

SP Software Issues

Are you running the simpleSAMLphp software?

All simpleSAMLphp deployments earlier than 1.13.2 are susceptible to performance issues when processing large metadata files. For more info: Protect Against Failed Metadata Processes

Also, if you need to filter metadata (see below), install the metarefresh patch contributed to the simpleSAMLphp project by Cirrus Identity.

IdP Configuration Issues

Does your IdP refresh and verify InCommon metadata at least daily?

If not, self-assert membership in the Hide From Discovery Category. See: Metadata Consumption.

Does your IdP consume metadata from multiple sources?

If your IdP consumes metadata from multiple sources (which is typical), the introduction of global metadata may cause a race condition that results in interoperability issues. For example, suppose a Shibboleth IdP is configured with a chaining MetadataProvider as follows:

A chaining MetadataProvider for Shibboleth IdP 3.0 (and later)
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata">

  <!-- Refresh some pre-InCommon metadata aggregate -->
  <MetadataProvider id="preICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
                    ...>

      <!-- ... -->
  </MetadataProvider>

  <!-- Refresh the InCommon metadata aggregate -->
  <MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
                    metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                    backingFile="%{idp.home}/metadata/InCommon-metadata.xml">

      <!-- ... -->
  </MetadataProvider>

  <!-- Refresh some post-InCommon metadata aggregate -->
  <MetadataProvider id="postICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
                    ...>

      <!-- ... -->
  </MetadataProvider>

</MetadataProvider>

Entity metadata normally refreshed post-InCommon may be short-circuited by global metadata introduced into the InCommon metadata aggregate.

Does your IdP rely on the Name XML attribute in InCommon metadata?

Do not rely on the md:EntitiesDescriptor/@Name XML attribute in InCommon metadata.

Does your IdP have a default attribute release policy?

Does your IdP support the global Research & Scholarship Category?

Does your IdP rely on the incommon.org R&S entity attribute value in SP metadata?

SP Configuration Issues

Does your SP refresh and verify InCommon metadata at least daily?

If not, your SP may be lacking a proper certificate revocation mechanism and therefore blindly trusting signed SAML assertions. See: Metadata Consumption.

Does your SP consume metadata from multiple sources?

If your SP consumes metadata from multiple sources, the introduction of global metadata may cause a race condition that results in interoperability issues.

Does your SP have a dynamic discovery interface?

If your SP has a dynamic discovery interface and you do not export your SP metadata, then you should filter global metadata at the SP, otherwise some users may have a failed login experience. If necessary, configure your SP using the Registered By InCommon Category.

IdP Metadata Issues

Does your IdP support SAML V2.0 Web Browser SSO?

An IdP that does not support SAML V2.0 Web Browser SSO will not be exported. (An IdP advertises supports SAML V2.0 Web Browser SSO if its metadata contains a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.)

SP Metadata Issues

Does your SP support SAML V2.0 Web Browser SSO?

An SP that does not support SAML V2.0 Web Browser SSO will not be exported. (An SP advertises supports SAML V2.0 Web Browser SSO if its metadata contains at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.)

Other Issues

Does your organization have more than one IdP registered in metadata?


#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels