Domains in Endpoint Locations
- New policy:
- All domains in IdP endpoint locations SHOULD be owned by the organization associated with the IdP.
- New public doc for review: IdP Endpoint Locations
- New procedure (to be implemented):
- The InCommon RA will no longer verify domains in endpoint locations in either IdP metadata or SP metadata.
- The InCommon RA will continue to verify domains in entityIDs in both IdP metadata and SP metadata.
- The InCommon RA will continue to verify Scopes in IdP metadata.
- Documentation needed: SP Endpoint Locations
Incident: Multiple Attempts to Publish Metadata on March 10
- On Friday, March 10, Ops published three signed aggregates at 4:21 pm, 5:28 pm, and 6:16 pm EST.
- The first two published files were identical to the previous day's file and therefore incorrect. The third file was the correct file.
- Root Cause: eduGAIN Operations altered the order of entities in the eduGAIN aggregate.
- For details, see: Incident Report 2017-03-10
HTTPS-Protected Endpoints
- Question: Should all protocol endpoints in metadata be HTTPS-protected?
- Current policy: All protocol endpoints in IdP metadata SHALL be HTTPS-protected.
- Proposed additional policy: All protocol endpoints in SP metadata SHALL be HTTPS-protected.
- For details, see: HTTPS-protected Endpoints