{note:title=Community Review in progress!} This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the [InCommon participants mailing list|https://lists.incommon.org/sympa/info/participants] ([mailto:participants@incommon.org]). {note} h2. A Checklist for New IdPs h3. Basic considerations for New IdPs: # Identify at least two Site Administrators to [administer IdP metadata|Metadata Administration] # [Refresh and verify metadata|Metadata Consumption] at least daily (every hour if possible) # Choose your [entityID|Entity IDs] carefully ## a simple, generic name is best ### example: {nl:https://sso.example.edu/idp} ## hostname must be rooted in your primary domain (e.g., example.edu) ## hostname need not match endpoint locations # Choose your [Scope|Scope in Metadata] carefully ## usually equal to your primary domain ## used to construct eduPersonPrincipalName ## avoid multiple Scopes in metadata h3. Is your IdP secure and trustworthy? A _trustworthy IdP_ is the basic building block of an identity federation. # Create and [handle your private key|IdP Key Handling] safely and securely! # Do not share your signing key with other SAML entities # Sign assertions using: ## a strong 2048-bit key ## the SHA-256 digest algorithm (which may not be supported by your software) # Protect all SAML [IdP endpoints|IdP Endpoints] with TLS # Protect the Logo URL with TLS {warning:title=Protect your private key!} Safeguarding the IdP’s private signing key protects _all Federation participants_ from the disastrous consequences of a key compromise. {warning} h3. Is your IdP interoperable? By definition, an _interoperable IdP_ strives to provide an overall positive [Federated User Experience]. # Support SAML2 Web Browser SSO # Publish a SAML2 {{SingleSignOnService}} endpoint that supports the HTTP-Redirect binding # Publish long-lived, self-signed [certificates in metadata|X.509 Certificates in Metadata] # Publish technical and administrative [contacts in metadata|Contacts in Metadata] # Stabilize the following metadata elements: ## entityID ## Scope ## endpoint locations ## certificates # Support at least the following user attributes: ## eduPersonPrincipalName (non-reassigned) ## eduPersonTargetedID (optional) ## mail (== ePPN) ## displayName ## givenName ## sn (surName) # Stabilize the values of persistent identifiers (ePPN and ePTID) # Test and monitor all SAML endpoints 24x7 h3. Is your IdP discoverable? A _discoverable IdP_ in an interoperable IdP with the following additional properties: # Publish the following [user interface elements|IdPUIElements] in metadata: ## DisplayName ## Information URL (optional) ## Logo URL # Adopt a measured [attribute release process|Attribute Release Process] ## release a SAML2 NameID (Transient or Persistent) to *all* SPs ## release a [minimal subset of the R&S attribute bundle|Identity Providers that Support R and S] to R&S SPs ## release public directory information to *all* SPs # Publish an appropriate [error handling URL|Error Handling URL] in metadata {div:style=padding-left:1.5em;padding-bottom:2.0ex;}[Read more...|Discoverable IdPs]{div} {tip:title=Support R&S} Support the [Research & Scholarship Category|Research and Scholarship Category] of services *now*! {tip} h3. Recommended protocol support for new IdPs: # Support SAML2 only (do not support SAML1) # Remove the SAML2 AttributeService endpoint # Remove the SAML2 ArtifactResolutionService endpoint {div:style=padding-left:1.5em;padding-bottom:2.0ex;}[Read more...|Protocol Support for New IdPs]{div} |