{note:title=Community Review in progress!}
This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the [InCommon participants mailing list|https://lists.incommon.org/sympa/info/participants] ([mailto:participants@incommon.org]).
{note}
h2. A Checklist for New IdPs
h3. Basic considerations for New IdPs:
# Identify at least two Site Administrators to [administer IdP metadata|Metadata Administration]
# [Refresh and verify metadata|Metadata Consumption] at least daily (every hour if possible)
# Choose your [entityID|Entity IDs] carefully
## a simple, generic name is best
### example: {nl:https://sso.example.edu/idp}
## hostname must be rooted in your primary domain (e.g., example.edu)
## hostname need not match endpoint locations
# Choose your [Scope|Scope in Metadata] carefully
## usually equal to your primary domain
## used to construct eduPersonPrincipalName
## avoid multiple Scopes in metadata
h3. Is your IdP secure and trustworthy?
A _trustworthy IdP_ is the basic building block of an identity federation.
# Create and [handle your private key|IdP Key Handling] safely and securely!
# Do not share your signing key with other SAML entities
# Sign assertions using:
## a strong 2048-bit key
## the SHA-256 digest algorithm (which may not be supported by your software)
# Protect all SAML [IdP endpoints|IdP Endpoints] with TLS
# Protect the Logo URL with TLS
{warning:title=Protect your private key!}
Safeguarding the IdP’s private signing key protects _all Federation participants_ from the disastrous consequences of a key compromise.
{warning}
h3. Is your IdP interoperable?
By definition, an _interoperable IdP_ strives to provide an overall positive [Federated User Experience].
# Support SAML2 Web Browser SSO
# Publish a SAML2 {{SingleSignOnService}} endpoint that supports the HTTP-Redirect binding
# Publish long-lived, self-signed [certificates in metadata|X.509 Certificates in Metadata]
# Publish technical and administrative [contacts in metadata|Contacts in Metadata]
# Stabilize the following metadata elements:
## entityID
## Scope
## endpoint locations
## certificates
# Support at least the following user attributes:
## eduPersonPrincipalName (non-reassigned)
## eduPersonTargetedID (optional)
## mail (== ePPN)
## displayName
## givenName
## sn (surName)
# Stabilize the values of persistent identifiers (ePPN and ePTID)
# Test and monitor all SAML endpoints 24x7
h3. Is your IdP discoverable?
A _discoverable IdP_ in an interoperable IdP with the following additional properties:
# Publish the following [user interface elements|IdPUIElements] in metadata:
## DisplayName
## Information URL (optional)
## Logo URL
# Adopt a measured [attribute release process|Attribute Release Process]
## release a SAML2 NameID (Transient or Persistent) to *all* SPs
## release a [minimal subset of the R&S attribute bundle|Identity Providers that Support R and S] to R&S SPs
## release public directory information to *all* SPs
# Publish an appropriate [error handling URL|Error Handling URL] in metadata
{div:style=padding-left:1.5em;padding-bottom:2.0ex;}[Read more...|Discoverable IdPs]{div}
{tip:title=Support R&S}
Support the [Research & Scholarship Category|Research and Scholarship Category] of services *now*!
{tip}
h3. Recommended protocol support for new IdPs:
# Support SAML2 only (do not support SAML1)
# Remove the SAML2 AttributeService endpoint
# Remove the SAML2 ArtifactResolutionService endpoint
{div:style=padding-left:1.5em;padding-bottom:2.0ex;}[Read more...|Protocol Support for New IdPs]{div} |