Versions Compared

Old Version 76

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning
titleThe InCommon Federation wiki has moved.


We have exciting news! An updated InCommon Federation wiki is now available. Please visit the new InCommon Federation Library for updated content.

This wiki is preserved for historical records only. It will no longer be updated. 

We invite you to come check out the new Library. Don't forget to update your bookmarks accordingly. 


Button Hyperlink
iconsearch
titleVisit the InCommon Federation Library wiki
typeprimary
urlfederation:InCommon Federation Library


In this document the InCommon Federation presents recommendations for federation participants regarding many aspects of federation practice. Sites following these practices will find benefits not only to their own use of the federation but will enable other participants to more easily and completely take advantage of federated services.

...

InCommon expects this set of recommendations will evolve as new capabilities are added to federation infrastructure, and as participants gain more experience with what practices work best.

Table of Contents

Organizational Presence

A key part of creating online trust is accurately representing your organization to other federation participants, including organization identity management organizational contact information and security practices, and contact information.

Participant Operational Practices

...

.

Contacts in Metadata

  1. Include technical, administrative, security, and support contacts in metadata.
  2. List contacts in metadata as mailing lists, reflectors, or similar mechanisms, rather than specific individuals.
  3. Refer users encountering attribute release policy issues with a service to their IdP's administrative contact.

...

  1. Publish federated incident response contact information for your federated services and identity providers.
  2. Implement a log retention policy for federated services and identity providers.
  3. Document and advertise your procedure for responding to a federated security incident.

Technical Basics

Maintaining complete and accurate information in InCommon metadata is important so systems from other federation participants can best engage with your site's services.

...

  1. To ensure that scoped attributes are globally unique, a scope in metadata should be a DNS domain controlled by the IdP.

X.509 Certificates in Metadata

See X.509 Certificates in Metadata, particularly:

  1. The certificates registered by a participant contain at least 2048-bit RSA public keys, are self-signed, are not expired, and do not carry revocation-related extensions.

  2. Certificate migration is performed in a controlled fashion that does not require participants who follow metadata consumption best practices to specially accommodate the change.
  3. Service providers include and support an encryption key in SP metadata.

SAML Protocol Endpoints

See Endpoints in Metadata, particularly:

  1. All endpoints are protected with SSL/TLS.
  2. All entities support SAML V2.0 Web Browser SSO.

Endpoints in IdP Metadata

See IdP Endpoints, particularly:

  1. IdPs protect all endpoints with SSL/TLS.
  2. IdPs support SAML V2.0 Web Browser SSO and (optionally) SAML V1.1 Web Browser SSO.
  3. IdPs support authentication requests via the SAML V2.0 HTTP-Redirect binding and (optionally) the legacy Shibboleth 1.x AuthnRequest protocol.
  4. IdPs support SAML V2.0 Enhanced Client or Proxy (ECP) authentication requests from non-browser clients via the SAML V2.0 SOAP binding using either Basic Authentication or TLS Client Authentication.
  5. IdPs (optionally) support SAML V1.1 attribute queries but do not advertise support for SAML V2.0 attribute queries unless necessary.

Endpoints in SP Metadata

See SP Endpoints, particularly:

  1. SPs protect all endpoints with SSL/TLS.
  2. SPs support SAML V2.0 Web Browser SSO, the SAML V2.0 Identity Provider Discovery Protocol, and the use of XML Encryption.
  3. SPs support the SAML V2.0 HTTP-POST binding and (optionally) the SAML V1.1 Browser/POST profile.
  4. SPs (optionally) support the SAML V2.0 Enhanced Client or Proxy profile.
  5. SPs that support SAML V1.1 Web Browser SSO also support SAML V1.1 attribute queries.

...

  1. SPs that seek a wide audience of IdPs without explicit contracts or arrangements ahead of time specify the attributes they need in order to facilitate consent-driven user interfaces.

Operational Maturity

Maintaining Supported Software

See Maintaining Supported Software, particularly:

  1. Appropriate staff monitor "security" and/or "announce" mailing lists for critical software.
  2. Software versions are reasonably current and upgraded ahead of "end of life" dates.

Protect Against Failed Metadata Processes

See Protect Against Failed Metadata Processes, particularly:

  1. Shibboleth IdP

    1. Allocate at least 1500MB of heap space in the JVM

    2. Enable DEBUG-level logging on selected Java classes

Federated User Experience

See Federated User Experience with particular attention to the following.

Initiating Login

  1. A "Login" link is placed in the upper right corner.
  2. The main application screen is uncluttered by choices of different login mechanisms.

...

Maximizing the Federation

Identity Provider Attribute Release Process

See Attribute Release Process, particularly:

  1. IdPs make common identity attributes (identifiers, displayName, mail) available to educationally useful/non-commercial SPs for significant user populations, either subject to opt-in user consent, or with an opt-out process.
  2. IdPs document and publish their policies and procedures for the release of attributes. The <PrivacyStatementURL> element should link directly or indirectly to this information.
  3. An "administrative" contact is documented for each IdP and SP identifying a point of contact for attribute release issues.

Persistent Identifier Support

See Persistent Identifier Support, particularly:

  1. IdPs support the eduPersonPrincipalName and eduPersonTargetedID attributes.
  2. When SAML 2.0 is used, the "persistent" <NameID> format is used to represent the eduPersonTargetedID attribute.
  3. The release of eduPersonTargetedID is automated for most or all affiliates (save perhaps for students opting out under FERPA) to SPs that are not otherwise subject to user anonymity requirements, such as some library services.


HTML Comment
hiddentrue

Parked Items

  • Keys of less than a certain age
    • We should consider what, if any, age is actually "too old"
  • Full saml2int conformance
  • InCommon Implementation Profile conformance
    • Could identify "exceptions to conformance" to highlight specific missing capabilities or could break profile into separate features in the matrix
  • Identity attributes
    • Regular (event-driven? nightly?) synchronization with systems of record
    • Documentation of locally-defined attributes
  • Reporting of statistics
  • Education
    • For end-users
      • Privacy
      • Appropriate use
      • Protection of secrets