Operationalizing Baseline Expectations

InCommon Participants established the InCommon Baseline Expectations for Trust in Federation as a means to increase trust and interoperability among InCommon federation participants and to define what they expect of each other, and of InCommon Operations. Recognizing that practices that are trustworthy at one time become deprecated as technology progresses, organizations evolve and shift their practices over time, and personnel turnover can lead to institutional knowledge gaps, the InCommon Federation Community Trust and Assurance Board (CTAB) has recognized that InCommon has an interest in monitoring the degree to which the self-assertion of Baseline Expectations drift over time and in aiding organizations in maintaining the accuracy of their assertions. Foundational to this effort is metadata health monitoring capabilities within the Federation Manager.

Launch Schedule

• 10/23/23 - Site Administrator Announcement Email

• 11/07/23 - Metadata Health Check Email

• 11/08/23 - Launch of Metadata Health feature

Roles

• Site Administrators

  • InCommon Site Administrators (SA) manage their organization's entities i.e. SAML metadata, for their Identity Provider (IdP) and/or Service Provider (SP).  

• Metadata Contacts

  • An Administrative, Technical, and Security contact are required for each organization’s entity. Contacts information in metadata enables Federation participants to contact each other to coordinate interoperation set up, support, and incident response efforts. These contacts are managed by Site Administrators along with the rest of the SAML metadata for the entity.

Introduction to Metadata Health

• What is Metadata Health?

• Metadata health is determined through scans to see if published metadata elements are alive, reachable, and where applicable, meet appropriate encryption requirements. Elements assessed are published metadata contacts, URLs (Privacy Statement, Logo, Error), and TLS endpoints.

• Where to find the new Metadata Health Page?

• From the Site Administrator Dashboard, click into an Identity Provider or Service Provider
• Click ‘Metadata Health’ tab on the left menu bar

Entity Checker

• What is the Entity Checker i.e what metadata information does it scan, and how does an entity get scanned?

  • Contacts 
    • Contact Health scans are currently separated from entity scans and will be conducted in a biannual batch process
  • URLs
    • Privacy Statement URL (User Interface Elements)
    • Logo URL (User Interface Elements)
    • Error URL (IdPs only)
  • TLS endpoints (IdP or SP SSO Settings)
  • The entity checker scans elements of an entity’s published metadata (as described above) on a scheduled and on-demand basis

• What is scheduled and on-demand scanning?

  • Scheduled entity scans run periodically to scan all entities while prioritizing recently published entities 
  • One entity check (URLs and TLS) will complete in approximately 10 minutes
  • Contact Health scans are currently separated from entity scans and will be conducted in a biannual batch process

• When should a Site Administrator initiate an on-demand scan?

  • Because scans check published metadata, an Site Administrator should initiate a scan no sooner than 1 hour after their last published changes (Metadata signing process)

• How often can an Site Administrator initiate a new scan?

  • A Site Administrator can initiate a per entity scan once every 30 minutes

Contact Health Status

• What is Contact Health scanning?

  • Published metadata contacts are scanned to check if they are alive and reachable.

• What does the status (Healthy, Unhealthy, or No Status) in the Contact Health column mean?

  • Healthy - An email delivery attempt to the address on record succeeded
  • Unhealthy - An email delivery attempt to the address on record resulted in a hard bounce
  • No Status - The email address has not yet been scanned

• Clicking the Contact Name will take the Site Administrator to the contacts tab

  • To update contacts:
    • Contacts > Edit or Delete
    • Review and Submit > Publish This Entity
    • Published contacts will show on the Metadata Health tab and will be included in the next contact health check (currently biannual)

URL Health Status

• What is URL Health scanning?

• Published metadata URLs are scanned to check if they are alive and reachable.

• What does the status (Healthy, Unhealthy, No Status) in the URL Health column mean?

• Healthy - An attempt to reach the URL returned a 200, 304, or resolved in 5 or less redirects
• Unhealthy - An attempt to reach the URL did not return a 200, 304, or exceeded 5 redirects to resolve 
• No Status - The URL has not yet been scanned

• What do the status codes in the Reason column mean?

• Click here to find out more about the status codes (HTTP responses status codes)

• Clicking the URL Type will take the Site Administrator to the corresponding URL tab

TLS Endpoint Encryption Scores

• What is a TLS Endpoint Encryption Score?

• • Links to resources and articles
    • BE2 Guide: Encrypt Entity Service Endpoints
    • SSL Server Rating Guide

• Brief explanation of what is a current score vs the trend report of scores (previous scores)

  • An entity’s current score will be shown at the top of the list, followed by all the recently recorded scores for reference
  • An entity’s TLS score at a certain point in time reflects what was published and subsequently scanned at that time

• Clicking the current score will take the Site Administrator to the IdP/SP SSO Settings tab

HTTP Status Codes

• What does this URL Health Status reason mean (404, 500, etc)?

  • HTTP response status codes

• My URL Health Status reason is a redirect status (30X), but it's listed as Unhealthy. Why?

  • An attempt to reach the URL must be resolved via a maximum of 5 redirects

Frequently Asked Questions

• Why do my Timestamps not match?

  • Contact Health Status - This is currently separated from entity scans and will be conducted in a biannual batch process
  • URL Health Status and TLS Endpoint Encryption Scores - These both are scanned together as a part of scheduled and on-demand entity scans. Note: if a URL is used by more than one entity, the timestamp for the URL result may vary from the TLS result. 

• I just changed some of my metadata, why don’t I see that change on the metadata health tab?

  • Once you submit metadata updates, the changes are not yet published until InCommon does a metadata signing (Metadata Signing Process). Only published metadata elements are scanned to check if they are alive, reachable, and where applicable, meet appropriate encryption requirements

• I see a TLS result from the past that I want to know more about, how can I see why I got that result?

  • TLS scans are conducted on what was in publication the day the scan ran. The endpoints and/or health of the system checked on that day dictate the outcome of that scan. While the Federation Manager has your current endpoint data, you would need to look back at your own change logs to determine what was in place and the state of service on a certain date in the past.

• My entity's scan button is inactive, why?

  • Once you start editing an entity, your instance of the entity is potentially different than what is published and accessible to scan. Since only published metadata elements are scanned, the scan button is inactive until any changes are submitted AND published.