Versions Compared

Old Version 12

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 13

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{note:title=Community Review in progress!}
This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the [InCommon participants mailing list|https://lists.incommon.org/sympa/info/participants] ([mailto:participants@incommon.org]).
{note}

h2. A Checklist for New IdPs

Effective federation depends on IdPs that are both _interoperable_ and _trustworthy_. To this end, a new IdP is expected to satisfy certain requirements. Some of these requirements are operational while other requirements pertain to the IdP's entity descriptor in metadata.

h3. Is your IdP secure and trustworthy?

A _trustworthy IdP_ is the basic building block of an identity federation.

# All SAML exchanges are protected with XML Signature and/or TLS.
## SAML keys are securely generated and stored (see: [IdP Key Handling])
## SAML keys are not shared with other entities
# SAML assertions are signed using:
## a strong 2048-bit key
## the SHA-256 digest algorithm (which may not be supported by your software)
# All browser-facing SAML endpoints are protected with TLS (see: [TLS Server Certificates])
## TLS certificates are trusted by the browser
## TLS keys are securely generated and stored
# The IdP's Logo URL is protected with TLS

{warning:title=Protect your private keys!}
Safeguarding the IdP’sMaintain positive control of your private keys—especially at all times. Most importantly, safeguard the IdP signing key—, which protects _all Federation participants_ from the disastrous consequences of a key compromise.
{warning}

h3. Is your IdP interoperable?

By definition, an _interoperable IdP_ strives to provide an overall positive [federated user experience|Federated User Experience].

# Support SAML2 Web Browser SSO
# Publish a SAML2 {{SingleSignOnService}} endpoint that supports the HTTP-Redirect binding
# Publish long-lived, self-signed [certificates in metadata|X.509 Certificates in Metadata]
# Publish technical and administrative [contacts in metadata|Contacts in Metadata]
# Stabilize the following metadata elements:
## entityID
## Scope
## endpoint locations
## certificates
# Support at least the following user attributes:
## eduPersonPrincipalName (non-reassigned)
## eduPersonTargetedID (optional)
## mail (== ePPN)
## displayName
## givenName
## sn (surName)
# Stabilize the values of persistent identifiers (ePPN and ePTID)
# Test and monitor all SAML endpoints 24x7

h3. Is your IdP discoverable?

A _discoverable IdP_ in an interoperable IdP with the following additional properties:

# Publish the following [user interface elements|IdPUIElements] in metadata:
## DisplayName
## Information URL (optional)
## Logo URL
# Adopt a measured [attribute release process|Attribute Release Process]
## release a SAML2 NameID (Transient or Persistent) to *all* SPs
## release a [minimal subset of the R&S attribute bundle|Identity Providers that Support R and S] to R&S SPs
## release public directory information to *all* SPs
# Publish an appropriate [error handling URL|Error Handling URL] in metadata

{div:style=padding-left:1.5em;padding-bottom:2.0ex;}Read more about [Discoverable IdPs]{div}

{tip:title=Support R&S}
Support the [Research & Scholarship Category|Research and Scholarship Category] of services *now*!
{tip}