Effective federation depends on IdPs that are both interoperable and trustworthy. To this end, a new IdP in metadata is expected to satisfy certain requirements.
As a matter of policy, each organization is allowed one IdP in metadata. By request, a second IdP in metadata may be purchased for an extra $1,000 per year.
The first IdP an organization introduces into metadata is assumed to be a production IdP. Do not submit temporary IdP metadata with the intention of changing it later on. IdP metadata that is obviously temporary (e.g., that contains the substring "test" in names and locations) will not be approved.
An optional second IdP may be introduced into metadata. This second IdP may be a test IdP.
Test IdPs in Metadata
Test IdPs in metadata are allowed but seldom needed and therefore discouraged.
The following is true of all IdP metadata:
- The entity ID for an IdP in metadata is permanent and once established can not be changed. (Note that the Federation Manager currently allows the entity ID to be changed but such an update request will not be approved by the RA.)
- The display name for a production IdP (which is used by the InCommon Discovery Service and other discovery interfaces) is the name of the organization that signed the Participation Agreement. The RA is authoritative for this display name in IdP metadata.
- Choose your IdP Endpoints carefully. The endpoint locations in IdP metadata are permanent in the sense that changing them will break interoperability with partner SPs. To restore interoperability with your IdP, each SP must refresh metadata.
All new IdPs in metadata are subject to the following requirements:
- The IdP MUST support the SAML V2.0 HTTP-Redirect binding, one of numerous endpoints in metadata.
- The IdP MUST provide a Logo and an Information URL, two important user interface elements in metadata.
- The IdP MUST provide technical and administrative contacts in metadata.
- The IdP SHOULD provide an error handling URL in metadata.
There are at least two things you must do to assure the trustworthiness of your IdP:
- The IdP MUST refresh and verify metadata at least daily.
- The IdP MUST ensure that its private signing key is safe and secure.
Regular metadata refresh insures that the IdP is operating on the latest metadata of its partner SPs. Safeguarding the IdP's private key protects everyone in the Federation from the disastrous consequences of a key compromise.