Differenze tra le versioni di "Technical Profile"
(42 versioni intermedie di 3 utenti non mostrate) | |||
Riga 1: | Riga 1: | ||
− | <big> | + | <big>Version 1.1.0</big> |
− | <big> | + | <big>19 January 2024</big> |
− | === | + | ===Revisions=== |
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
Riga 11: | Riga 11: | ||
!Autore | !Autore | ||
|- | |- | ||
− | |1.0 | + | |1.0.4 |
− | | | + | |21-10-2021 |
− | | | + | |Translated from the Italian version |
|Marco Malavolti | |Marco Malavolti | ||
Barbara Monticini | Barbara Monticini | ||
Davide Vaghetti | Davide Vaghetti | ||
+ | |||
+ | Mario Di Lorenzo | ||
+ | |- | ||
+ | |1.0.5 | ||
+ | |16-02-2022 | ||
+ | |IDP-FED03 - Removed Privacy Policy examples | ||
+ | |Davide Vaghetti | ||
|- | |- | ||
− | |1.0. | + | |1.0.6 |
− | | | + | |06-09-2022 |
− | | | + | |Added links to IDP-FED05 e SP-FED05 into IDP-MD09 & SP-MD08 |
|Marco Malavolti | |Marco Malavolti | ||
− | + | |- | |
+ | |1.1.0 | ||
+ | |19-01-2024 | ||
+ | |SEC03 - Ban on using references to SAML v1.x deprecated protocol added | ||
+ | IDP-MD04, IDP-MD12, IDP-MD13, SP-MD03, SP-MD10, SP-MD11 - Added recommendation on maximum 256 character limit | ||
+ | |||
+ | IDP-MD05, SP-MD04 - Added recommendation on the maximum limit of 1024 characters | ||
+ | |||
+ | IDP-FED02 - Removed the sample references | ||
+ | |||
+ | IDP-MD08 - Removed the sample references | ||
+ | |||
+ | IDP-MD15, SP-MD13 - Added the prefix specification "mailto:" | ||
− | + | SP-FED01 - Reference to eduPersonScopedAffiliation specific documentation added | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | SP-FED02 - Added reference to the service provider’s Privacy Policy | |
− | + | SP-MD03, SP-MD04 - Added ServiceName and ServiceDescription checked elements | |
− | |||
− | |||
− | |||
− | |||
|Marco Malavolti | |Marco Malavolti | ||
Barbara Monticini | Barbara Monticini | ||
Riga 69: | Riga 79: | ||
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
+ | |||
+ | ====SEC03 - No SAML v1==== | ||
+ | The entity metadata MUST contain ONLY SAML 2.x protocol references. | ||
+ | |||
+ | [[Profilo Tecnico Operativo#top|[TOP]]] | ||
+ | |||
==Identity Provider== | ==Identity Provider== | ||
===Metadata (IDP-MD)=== | ===Metadata (IDP-MD)=== | ||
Riga 74: | Riga 90: | ||
====IDP-MD01 - validUntil==== | ====IDP-MD01 - validUntil==== | ||
− | <code>validUntil</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be removed along with | + | <code>validUntil</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be removed along with its value as it will be replaced by the IDEM Federation. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
+ | |||
====IDP-MD02 - entityID==== | ====IDP-MD02 - entityID==== | ||
− | <code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum | + | <code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum length of 256 characters. |
− | If the | + | If the entityID URI is a URL it SHOULD return the entity metadata. |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 94: | Riga 111: | ||
<code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | <code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | ||
− | *contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST | + | *contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST NOT contain either the words "IDEM" or "eduGAIN". |
*be available in both Italian and English languages. | *be available in both Italian and English languages. | ||
+ | |||
+ | It is RECOMMENDED that: | ||
+ | |||
+ | *the maximum limit of 256 characters is not exceed | ||
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 101: | Riga 122: | ||
<mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName> | <mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
+ | |||
====IDP-MD05 - Description==== | ====IDP-MD05 - Description==== | ||
<code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | <code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | ||
− | *contain a | + | *contain a brief description of the service; |
*be available in both Italian and English languages. | *be available in both Italian and English languages. | ||
+ | |||
+ | It is RECOMMENDED that: | ||
+ | |||
+ | *the maximum limit of 1024 characters is not exceed | ||
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 114: | Riga 140: | ||
<code><mdui:InformationURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | <code><mdui:InformationURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | ||
− | * | + | *contain the URL of the Information page of the service; |
*be available in both Italian and English languages. | *be available in both Italian and English languages. | ||
− | For the actual content of the page refer to [[ | + | For the actual content of the page refer to [[Technical Profile#IDP-FED02 - Web page for Information to the users|IDP-FED02]]. |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 126: | Riga 152: | ||
<code><mdui:PrivacyStatementURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | <code><mdui:PrivacyStatementURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: | ||
− | *contain the URL of the Privacy Policy of the service | + | *contain the URL of the Privacy Policy of the service; |
*be available in both Italian and English languages. | *be available in both Italian and English languages. | ||
− | For the actual content of the page refer to [[ | + | For the actual content of the page refer to [[Technical Profile#IDP-FED03 - Web page about the processing of personal data|IDP-FED03]]. |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 142: | Riga 168: | ||
It is RECOMMENDED that: | It is RECOMMENDED that: | ||
− | *the logo is in PNG format on transparent background | + | *the logo is in PNG format on transparent background; |
*to publish two logos: | *to publish two logos: | ||
− | **'''16x16 pixel''' (or bigger but respecing the same aspect-ratio) | + | **'''16x16 pixel''' (or bigger but respecing the same aspect-ratio) |
− | **'''80x60 pixel''' (or bigger but respecing the same aspect-ratio) | + | **'''80x60 pixel''' (or bigger but respecing the same aspect-ratio). |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 154: | Riga 180: | ||
====IDP-MD09 - KeyDescriptor==== | ====IDP-MD09 - KeyDescriptor==== | ||
The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements: | The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements: | ||
− | |||
− | |||
*with no further attributes or only the attribute <code>use="signing"</code>; | *with no further attributes or only the attribute <code>use="signing"</code>; | ||
+ | *contain an X.509 certificate in PEM format as reported into [[Technical Profile#IDP-FED05%20-%20Requirements%20for%20Certificates%20used%20in%20Metadata|IDP-FED05]]. | ||
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 171: | Riga 196: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
+ | |||
====IDP-MD10 - SingleSignOnService==== | ====IDP-MD10 - SingleSignOnService==== | ||
<code><md:SingleSignOnService></code> MUST: | <code><md:SingleSignOnService></code> MUST: | ||
− | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> ( | + | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> (required by <code>AuthnRequest</code>); |
− | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'</nowiki></code> ( | + | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'</nowiki></code> (required by <code>AuthnResponse</code>); |
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>). | *always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>). | ||
Riga 183: | Riga 209: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
+ | |||
====IDP-MD11 - SingleLogoutService==== | ====IDP-MD11 - SingleLogoutService==== | ||
<code><md:SingleLogoutService></code> MUST: | <code><md:SingleLogoutService></code> MUST: | ||
− | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> ( | + | *be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> (required by <code>LogoutRequest</code>); |
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>). | *always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>). | ||
Riga 193: | Riga 220: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
+ | |||
====IDP-MD12 - OrganizationName==== | ====IDP-MD12 - OrganizationName==== | ||
<code><md:OrganizationName></code> , defined in the element <code><md:Organization></code>, MUST: | <code><md:OrganizationName></code> , defined in the element <code><md:Organization></code>, MUST: | ||
− | *contain the name of the organisation to which the service belongs | + | *contain the name of the organisation to which the service belongs; |
− | *be available in both Italian and English languages. | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
+ | |||
+ | It is RECOMMENDED that: | ||
+ | |||
+ | *the maximum limit of 256 characters is not exceed | ||
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 206: | Riga 238: | ||
<code><md:OrganizationDisplayName></code> , defined in the element <code><md:Organization></code>, MUST: | <code><md:OrganizationDisplayName></code> , defined in the element <code><md:Organization></code>, MUST: | ||
− | *contain the name of the organisation that will be shown in the user inteface | + | *contain the name of the organisation that will be shown in the user inteface; |
− | *be available in both Italian and English languages. | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
+ | |||
+ | It is RECOMMENDED that: | ||
+ | |||
+ | *the maximum limit of 256 characters is not exceed | ||
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 216: | Riga 252: | ||
<code><md:OrganizationURL></code>, defined in the element <code><md:Organization></code>, MUST: | <code><md:OrganizationURL></code>, defined in the element <code><md:Organization></code>, MUST: | ||
− | *contain the URL of the main site of organisation to which the service belongs | + | *contain the URL of the main site of organisation to which the service belongs; |
− | *be available in both Italian and English languages. | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 226: | Riga 262: | ||
The metadata of the entity MUST define at least one <code><md:ContactPerson></code> element with the following requirements: | The metadata of the entity MUST define at least one <code><md:ContactPerson></code> element with the following requirements: | ||
− | * | + | *contain the e-mail address of the technical contact of the service in the <code>mailto:</code> format; |
− | *contain the attribute <code>contactType="technical"</code> | + | *contain the attribute <code>contactType="technical".</code> |
− | It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list). | + | It is RECOMMENDED to use an <u>impersonal</u> e-mail address (for example a mailing-list). |
''Example:''<syntaxhighlight lang="xml"> | ''Example:''<syntaxhighlight lang="xml"> | ||
Riga 235: | Riga 271: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
===Federation (IDP-FED)=== | ===Federation (IDP-FED)=== | ||
− | + | The requirements listed below are dictated by IDEM Federation and are intended for Identity Providers. | |
− | + | ====IDP-FED01 - Data to be released==== | |
− | The requirements listed below are dictated by | ||
− | ====IDP-FED01 - Data==== | ||
− | |||
− | |||
An Identity Provider in IDEM MUST be able to release the following information: | An Identity Provider in IDEM MUST be able to release the following information: | ||
− | # | + | #a unique, persistent identifier, different for each service and transmissible in one of the following forms: |
− | #*within the xml element <code><NameID></code> with property <code>Format="<nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki>"</code> if required by a Service Provider in its metadata | + | #*within the xml element <code><NameID></code> with property <code>Format="<nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki>"</code> if required by a Service Provider in its metadata; |
− | #*as an attribute named <code>eduPersonTargetedID</code> if required by a Service Provider in its metadata within the xml element | + | #*as an attribute named <code>eduPersonTargetedID</code> if required by a Service Provider in its metadata within the xml element <code><md:RequestedAttribute></code> . |
− | #the attribute <code>eduPersonScopedAffiliation</code>, which is the affiliation of the user followed by the idp | + | #the attribute <code>eduPersonScopedAffiliation</code>, which is the affiliation of the user followed by the idp <code>scope</code>. |
''Example of idp data released to the Service Provider [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml"> | ''Example of idp data released to the Service Provider [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml"> | ||
Riga 252: | Riga 284: | ||
persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU= | persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU= | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
− | ====IDP-FED02 - | + | ====IDP-FED02 - Web page for Information to the users==== |
− | |||
− | |||
Every Identity Provider MUST publish a web page in Italian and English language containing: | Every Identity Provider MUST publish a web page in Italian and English language containing: | ||
− | # | + | #a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc) |
− | # | + | #a pointer to the page about the processing of personal data as indicated by <code><mdui:PrivacyStatementURL></code> ([[Technical Profile#IDP-MD07 - PrivacyStatementURL|IDP-MD07]]) |
− | # | ||
− | + | A Web page for Information to the users MAY include the IDEM Logo and a link to the IDEM Web site: | |
− | * | + | *IDEM Web site: https://www.idem.garr.it |
− | * | + | *IDEM Logo: https://idem.garr.it/en/tutti-i-documenti/idem-archivio/banner-e-loghi |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | ====IDP-FED03 - | + | ====IDP-FED03 - Web page about the processing of personal data==== |
− | |||
− | |||
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679. | A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679. | ||
− | + | As a useful example of document about the processing of personal data, IDEM GARR AAI team has provided a template available in:[[InformativaDatiPersonaliIdP|InformativaDatiPersonaliIdP.]] | |
− | + | [[#top|[TOP]]] | |
− | + | ====IDP-FED04 - Login page==== | |
− | + | Every Identity Provider in IDEM MUST deploy a Login page for users containing: | |
− | * | + | *a pointer to the url included in the IdP metadata tag <code><mdui:InformationURL></code> and whose content abeys the requirement stated in ([[Technical Profile#IDP-MD06 - InformationURL|IDP-MD06]]) |
− | |||
− | |||
− | [[# | ||
− | |||
− | |||
− | + | It is RECOMMENDED for a Login Web page to contain: | |
− | * | + | *a pointer to the url included in the IdP metadata tag <code><mdui:PrivacyStatementURL></code> and whose content abeys the requirement stated in ([[Technical Profile#IDP-MD07 - PrivacyStatementURL|IDP-MD07]]) |
− | |||
− | |||
− | |||
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | ====IDP-FED05 - | + | ====IDP-FED05 - Requirements for Certificates used in Metadata==== |
− | |||
− | |||
Certificates included in Metadata of the entity MUST obey the following properties: | Certificates included in Metadata of the entity MUST obey the following properties: | ||
− | * | + | *long-term validity (expiration in 30 years); |
− | * | + | *self-signed; |
− | * | + | *be valid, not yet expired; |
− | * | + | *exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1 |
− | * | + | *use a private key of at least 3072 bit |
− | |||
− | |||
− | Private Key MUST NOT be less than 2048 bit. | + | In any case, Private Key MUST NOT be less than 2048 bit. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | === | + | ===Example of Identity Provider Metadata=== |
<syntaxhighlight lang="xml"> | <syntaxhighlight lang="xml"> | ||
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth"> | <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth"> | ||
Riga 361: | Riga 376: | ||
==Service Provider== | ==Service Provider== | ||
===Metadata (SP-MD)=== | ===Metadata (SP-MD)=== | ||
− | + | The following requirements are related to the metadata of an Service Provider (SP). | |
====SP-MD01 - validUntil==== | ====SP-MD01 - validUntil==== | ||
− | <code>validUntil</code> , | + | <code>validUntil</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be removed along with it's value as it will be replaced by the IDEM Federation. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
====SP-MD02 - entityID==== | ====SP-MD02 - entityID==== | ||
− | <code>entityID</code> , | + | <code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum length of 256 characters. |
− | + | If the entityID URI is a URL it SHOULD return the entity metadata. | |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
entityID="https://sp.example.org/shibboleth" | entityID="https://sp.example.org/shibboleth" | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
− | ====SP-MD03 - DisplayName==== | + | ====SP-MD03 - DisplayName & ServiceName==== |
− | <code><mdui:DisplayName></code> , | + | <code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, and <code><md:ServiceName></code>, defined in the element <code><md:AttributeConsumingService></code> MUST: |
− | * | + | *contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST NOT contain either the reserved words "IDEM" or "eduGAIN"; |
− | * | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
− | '' | + | It is RECOMMENDED that: |
+ | |||
+ | *the maximum limit of 256 characters is not exceed | ||
+ | |||
+ | ''Example:''<syntaxhighlight lang="xml"> | ||
<mdui:DisplayName xml:lang="en">Resource provided by Example Organization</mdui:DisplayName> | <mdui:DisplayName xml:lang="en">Resource provided by Example Organization</mdui:DisplayName> | ||
<mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName> | <mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
− | ====SP-MD04 - Description==== | + | ====SP-MD04 - Description & ServiceDescription==== |
− | <code><mdui:Description></code> , | + | <code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, and <code><md:ServiceDescription></code>, defined in the element <code><md:AttributeConsumingService></code> MUST: |
− | * | + | *contain a bried description of the service; |
− | * | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
− | '' | + | It is RECOMMENDED that: |
+ | |||
+ | *the maximum limit of 1024 characters is not exceed | ||
+ | |||
+ | ''Example:''<syntaxhighlight lang="xml"> | ||
<mdui:Description xml:lang="en">The resource allow you to ...</mdui:Description> | <mdui:Description xml:lang="en">The resource allow you to ...</mdui:Description> | ||
<mdui:Description xml:lang="it">La risorsa ti permette di ...</mdui:Description> | <mdui:Description xml:lang="it">La risorsa ti permette di ...</mdui:Description> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD05 - InformationURL==== | ====SP-MD05 - InformationURL==== | ||
− | <code><mdui:InformationURL></code> , | + | <code><mdui:InformationURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: |
− | * | + | *contain the URL of the Information page of the service; |
− | * | + | |
+ | *be available in both Italian and English languages. | ||
− | + | For the actual content of the page refer to [[Technical Profile#SP-FED02 - Informazioni|SP-FED02]]. | |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL> | <mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL> | ||
<mdui:InformationURL xml:lang="it">https://...informativa in italiano...</mdui:InformationURL> | <mdui:InformationURL xml:lang="it">https://...informativa in italiano...</mdui:InformationURL> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD06 - PrivacyStatementURL==== | ====SP-MD06 - PrivacyStatementURL==== | ||
− | <code><mdui:PrivacyStatementURL></code>, | + | <code><mdui:PrivacyStatementURL></code>, defined in the element <code><mdui:UIInfo></code>, MUST: |
− | * | + | *contain the URL of the Privacy Policy of the service; |
− | * | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
− | + | For the actual content of the page refer to [[Technical Profile#SP-FED03 - Trattamento dati|SP-FED03]]. | |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL> | <mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL> | ||
<mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL> | <mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD07 - Logo==== | ====SP-MD07 - Logo==== | ||
− | <code><mdui:Logo></code> , | + | <code><mdui:Logo></code>, defined in the element <code><mdui:UIInfo></code>, MUST: |
− | * | + | *contain at least a URL protected by SSL (<code>https://</code>) pointing to the logo of the organisation. |
− | + | It is RECOMMENDED that: | |
− | * | + | *the logo is in '''PNG''' format (on transparent background). |
− | * | + | *to publish two logos: |
− | **'' | + | **'''16x16 pixel''' (or bigger but respecing the same aspect-ratio) |
− | **'' | + | **'''80x60 pixel''' (or bigger but respecing the same aspect-ratio) |
''Esempio:''<syntaxhighlight lang="xml"> | ''Esempio:''<syntaxhighlight lang="xml"> | ||
Riga 435: | Riga 459: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD08 - KeyDescriptor==== | ====SP-MD08 - KeyDescriptor==== | ||
− | + | The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements: | |
− | * | + | *with no further attributes or only the attribute <code>use="encryption"</code> |
− | * | + | *contain an X.509 certificate in PEM format as reported into [[Technical Profile#SP-FED05%20-%20Requirements%20for%20Certificates%20used%20in%20Metadata|SP-FED05;]] |
<syntaxhighlight lang="xml"> | <syntaxhighlight lang="xml"> | ||
<md:KeyDescriptor use="encryption"> | <md:KeyDescriptor use="encryption"> | ||
Riga 449: | Riga 473: | ||
</ds:KeyInfo> | </ds:KeyInfo> | ||
</md:KeyDescriptor> | </md:KeyDescriptor> | ||
− | </syntaxhighlight> | + | </syntaxhighlight>If "Single Logout" is supported by the Service Provider a further <code><md:KeyDescriptor></code> element with attribute <code>use="signing"</code> MUST be present. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
====SP-MD09 - RequestedAttribute==== | ====SP-MD09 - RequestedAttribute==== | ||
− | <code><md:RequestedAttribute></code> , | + | <code><md:RequestedAttribute></code> , defined in the element <code><md:AttributeConsumingService></code>, MUST: |
− | * | + | *contain the set of SAML attributes required by the resource to work properly |
− | * | + | *define attributes that are required to get access to the resourse with the property <code>isRequired="true"</code> |
− | * | + | *define attributes that are desired when accessing the resourse with the property <code>isRequired="false"</code> |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> | <md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> | ||
<md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> | <md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> | ||
Riga 465: | Riga 489: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD10 - OrganizationName==== | ====SP-MD10 - OrganizationName==== | ||
− | <code><md:OrganizationName></code> , | + | <code><md:OrganizationName></code> , defined in the element <code><md:Organization></code>, MUST: |
+ | |||
+ | *contain the name of the organisation to which the service belongs; | ||
+ | *be available in both <u>Italian</u> and <u>English</u> languages. | ||
+ | |||
+ | It is RECOMMENDED that: | ||
− | * | + | *the maximum limit of 256 characters is not exceed |
− | |||
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<md:OrganizationName xml:lang="en">Example Organization</md:OrganizationName> | <md:OrganizationName xml:lang="en">Example Organization</md:OrganizationName> | ||
<md:OrganizationName xml:lang="it">Organizzazione di Esempio</md:OrganizationName> | <md:OrganizationName xml:lang="it">Organizzazione di Esempio</md:OrganizationName> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD11 - OrganizationDisplayName==== | ====SP-MD11 - OrganizationDisplayName==== | ||
− | <code><md:OrganizationDisplayName></code> , | + | <code><md:OrganizationDisplayName></code> , defined in the element <code><md:Organization></code>, MUST: |
+ | |||
+ | *contain the name of the organisation that will be shown in the user inteface; | ||
+ | *be available in both <u>Italian</u> and <u>English</u> languages. | ||
+ | |||
+ | It is RECOMMENDED that: | ||
− | * | + | *the maximum limit of 256 characters is not exceed |
− | |||
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<md:OrganizationDisplayName xml:lang="en">Resource provided by Example University</md:OrganizationDisplayName> | <md:OrganizationDisplayName xml:lang="en">Resource provided by Example University</md:OrganizationDisplayName> | ||
<md:OrganizationDisplayName xml:lang="it">Risorsa erogata da Università di Esempio</md:OrganizationDisplayName> | <md:OrganizationDisplayName xml:lang="it">Risorsa erogata da Università di Esempio</md:OrganizationDisplayName> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD12 - OrganizationURL==== | ====SP-MD12 - OrganizationURL==== | ||
− | <code><md:OrganizationURL></code>, | + | <code><md:OrganizationURL></code>, defined in the element <code><md:Organization></code>, MUST: |
− | * | + | *contain the URL of the main site of the Organisation to which the service belongs; |
− | * | + | *be available in both <u>Italian</u> and <u>English</u> languages. |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL> | <md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL> | ||
<md:OrganizationURL xml:lang="it">https://...sito istituzionalein italiano...</md:OrganizationURL> | <md:OrganizationURL xml:lang="it">https://...sito istituzionalein italiano...</md:OrganizationURL> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
====SP-MD13 - ContactPerson==== | ====SP-MD13 - ContactPerson==== | ||
− | + | The metadata of the entity MUST define <u>at least</u> one <code><md:ContactPerson></code> element with the following requirements: | |
− | * | + | *contain the e-mail address of the technical contact of the service in the <code>mailto:</code> format; |
− | * | + | *contain the attribute <code>contactType="technical".</code> |
− | + | It is RECOMMENDED to use an <u>impersonal</u> e-mail address (for example a mailing-list). | |
− | '' | + | ''Example:''<syntaxhighlight lang="xml"> |
<ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson> | <ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson> | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
===Federation (SP-FED)=== | ===Federation (SP-FED)=== | ||
− | + | The requirements listed below are dictated by IDEM Federation and are intended for Service Providers. | |
− | ====SP-FED01 - Data==== | + | ====SP-FED01 - Data received from IdPs==== |
− | + | in IDEM every Service Provider receives ''by default'' the following data by every Identity Provider: | |
− | # | + | #A unique persistent targeted id of the user: |
− | #*<code>persistent-id</code> '''(persistent NameID)''' ( | + | #*<code>persistent-id</code> '''(persistent NameID)''' (or the attribute ''eduPersonTargetedID'' if the Idp cannot release a NameID) |
− | # | + | #The scoped affiliation of the user: |
− | #*<code>affiliation</code> '''(eduPersonScopedAffiliation)''' | + | #*<code>affiliation</code> '''(eduPersonScopedAffiliation)''' (take a look to [[Attributo Affiliazione]]) |
− | '' | + | ''Example of idp data released to [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml"> |
affiliation = member@aai-test.garr.it;staff@aai-test.garr.it | affiliation = member@aai-test.garr.it;staff@aai-test.garr.it | ||
persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU= | persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU= | ||
− | </syntaxhighlight><u> | + | </syntaxhighlight><u>Any further attribute required to access</u> a Service Provider has to be properly motivated by sending an e-mail to <code>idem-help@garr.it</code>. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | ====SP-FED02 - | + | ====SP-FED02 - Web page for Information to the users==== |
− | + | Every Service Provider MUST publish a web page in Italian and English language containing: | |
− | # | + | #the description of the service |
− | # | + | #the intended audience |
− | # | + | #the Name of the Organization providing the service |
− | # | + | #a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc) |
− | # | + | #a reference/pointer to the page about the processing of personal data as indicated by <code><mdui:PrivacyStatementURL></code> ([[Technical Profile#SP-MD06 - PrivacyStatementURL|SP-MD06]]), if possible, referenced with the same URL. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | ====SP-FED03 - | + | ====SP-FED03 - Web page about the processing of personal data==== |
− | + | A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679. | |
− | + | It is strongly suggested to use REFEDS guidelines for Service Provider: | |
https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers | https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers | ||
Riga 541: | Riga 573: | ||
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
====SP-FED04 - Login Page / Discovery Service==== | ====SP-FED04 - Login Page / Discovery Service==== | ||
− | + | The access page to a federated resource in IDEM MUST contain: | |
− | * | + | *the list of eligible IdP coming from IDEM Federation and eduGAIN; |
− | * | + | *a reference/pointer to the page about the Information to the users ([[Technical Profile#SP-MD05 - InformationURL|SP-MD05]]) |
− | + | <!-- It is strongly suggested to follow ''REFEDS Best Practices'' when implementing federated access to a resource'':'' https://discovery.refeds.org/ --> | |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | ====SP-FED05 - | + | ====SP-FED05 - Requirements for Certificates used in Metadata==== |
− | + | Certificates included in Metadata of the entity MUST obey the following requirements: | |
− | * | + | *long-term validity (expiration in 30 years); |
− | * | + | *self-signed; |
− | * | + | *be valid, not yet expired; |
− | * | + | *exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1 |
− | * | + | *use a private key of at least 3072 bit |
− | In | + | In any case, Private Key MUST NOT be less than 2048 bit. |
[[#top|[TOP]]] | [[#top|[TOP]]] | ||
− | === | + | ===Example of Service Provider Metadata=== |
<syntaxhighlight lang="xml"> | <syntaxhighlight lang="xml"> | ||
<md:EntityDescriptor entityID="https://sp.example.com/shibboleth" | <md:EntityDescriptor entityID="https://sp.example.com/shibboleth" | ||
Riga 636: | Riga 668: | ||
</syntaxhighlight>[[#top|[TOP]]] | </syntaxhighlight>[[#top|[TOP]]] | ||
− | === | + | ===References:=== |
[RFC 2119] Key words for use in RFCs to Indicate Requirement Levels | [RFC 2119] Key words for use in RFCs to Indicate Requirement Levels | ||
Versione attuale delle 10:54, 12 giu 2024
Version 1.1.0
19 January 2024
Revisions
Versione | Data | Descrizione | Autore |
---|---|---|---|
1.0.4 | 21-10-2021 | Translated from the Italian version | Marco Malavolti
Barbara Monticini Davide Vaghetti Mario Di Lorenzo |
1.0.5 | 16-02-2022 | IDP-FED03 - Removed Privacy Policy examples | Davide Vaghetti |
1.0.6 | 06-09-2022 | Added links to IDP-FED05 e SP-FED05 into IDP-MD09 & SP-MD08 | Marco Malavolti |
1.1.0 | 19-01-2024 | SEC03 - Ban on using references to SAML v1.x deprecated protocol added
IDP-MD04, IDP-MD12, IDP-MD13, SP-MD03, SP-MD10, SP-MD11 - Added recommendation on maximum 256 character limit IDP-MD05, SP-MD04 - Added recommendation on the maximum limit of 1024 characters IDP-FED02 - Removed the sample references IDP-MD08 - Removed the sample references IDP-MD15, SP-MD13 - Added the prefix specification "mailto:" SP-FED01 - Reference to eduPersonScopedAffiliation specific documentation added SP-FED02 - Added reference to the service provider’s Privacy Policy SP-MD03, SP-MD04 - Added ServiceName and ServiceDescription checked elements |
Marco Malavolti
Barbara Monticini Davide Vaghetti Mario Di Lorenzo |
Indice
- 1 Revisions
- 2 Technical Profile for the entities of the IDEM Federation
- 2.1 Definitions
- 2.2 Security (SEC) - Identity Provider & Service Provider
- 2.3 Identity Provider
- 2.3.1 Metadata (IDP-MD)
- 2.3.1.1 IDP-MD01 - validUntil
- 2.3.1.2 IDP-MD02 - entityID
- 2.3.1.3 IDP-MD03 - Scope
- 2.3.1.4 IDP-MD04 - DisplayName
- 2.3.1.5 IDP-MD05 - Description
- 2.3.1.6 IDP-MD06 - InformationURL
- 2.3.1.7 IDP-MD07 - PrivacyStatementURL
- 2.3.1.8 IDP-MD08 - Logo
- 2.3.1.9 IDP-MD09 - KeyDescriptor
- 2.3.1.10 IDP-MD10 - SingleSignOnService
- 2.3.1.11 IDP-MD11 - SingleLogoutService
- 2.3.1.12 IDP-MD12 - OrganizationName
- 2.3.1.13 IDP-MD13 - OrganizationDisplayName
- 2.3.1.14 IDP-MD14 - OrganizationURL
- 2.3.1.15 IDP-MD15 - ContactPerson
- 2.3.2 Federation (IDP-FED)
- 2.3.3 Example of Identity Provider Metadata
- 2.3.1 Metadata (IDP-MD)
- 2.4 Service Provider
- 2.4.1 Metadata (SP-MD)
- 2.4.1.1 SP-MD01 - validUntil
- 2.4.1.2 SP-MD02 - entityID
- 2.4.1.3 SP-MD03 - DisplayName & ServiceName
- 2.4.1.4 SP-MD04 - Description & ServiceDescription
- 2.4.1.5 SP-MD05 - InformationURL
- 2.4.1.6 SP-MD06 - PrivacyStatementURL
- 2.4.1.7 SP-MD07 - Logo
- 2.4.1.8 SP-MD08 - KeyDescriptor
- 2.4.1.9 SP-MD09 - RequestedAttribute
- 2.4.1.10 SP-MD10 - OrganizationName
- 2.4.1.11 SP-MD11 - OrganizationDisplayName
- 2.4.1.12 SP-MD12 - OrganizationURL
- 2.4.1.13 SP-MD13 - ContactPerson
- 2.4.2 Federation (SP-FED)
- 2.4.3 Example of Service Provider Metadata
- 2.4.4 References:
- 2.4.1 Metadata (SP-MD)
Technical Profile for the entities of the IDEM Federation
The Technical Profile defines all the requirements for an entity to be registered in the Italian Identity Federation IDEM GARR AAI.
Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in [RFC2119].
Security (SEC) - Identity Provider & Service Provider
The following requirements are related to the SSL certificate used for the HTTPS interface of the service. They are not to be applied to the certificates used by Identity Providers and Service Providers to sign and encrypt the assertions.
SEC01 - SSL robustness level
The SSL certificate used on the HTTPS port of the service MUST report at least a B grade on SSL Labs: https://www.ssllabs.com/ssltest/
SEC02 - Chain issue
The SSL certificate used on the HTTPS port of the service SHOULD be free of "Chain issues" --- check with SSL Labs: https://www.ssllabs.com/ssltest/
SEC03 - No SAML v1
The entity metadata MUST contain ONLY SAML 2.x protocol references.
Identity Provider
Metadata (IDP-MD)
The following requirements are related to the metadata of an Identity Provider (IDP),
IDP-MD01 - validUntil
validUntil
, attribute defined in the element <md:EntityDescriptor>
, MUST be removed along with its value as it will be replaced by the IDEM Federation.
IDP-MD02 - entityID
entityID
, attribute defined in the element <md:EntityDescriptor>
, MUST be a URI with a maximum length of 256 characters.
If the entityID URI is a URL it SHOULD return the entity metadata.
Example:
entityID="https://idp.example.org/idp/shibboleth"
IDP-MD03 - Scope
<shibmd:Scope>
, defined in the element <md:Extension>
, MUST contain domain value controlled by the Organisation (verifications will be performed with WHOIS).
Example:
<shibmd:Scope>example.org</shibmd:Scope>
IDP-MD04 - DisplayName
<mdui:DisplayName>
, defined in the element <mdui:UIInfo>
, MUST:
- contain the name of the service that will be displayed to the users. WARNING: the name MUST NOT contain either the words "IDEM" or "eduGAIN".
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<mdui:DisplayName xml:lang="en">Example University</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName>
IDP-MD05 - Description
<mdui:Description>
, defined in the element <mdui:UIInfo>
, MUST:
- contain a brief description of the service;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 1024 characters is not exceed
Example:
<mdui:Description xml:lang="en">Identity provider for Example University user</mdui:Description>
<mdui:Description xml:lang="it">Identity provider per gli utenti di Università di Esempio</mdui:Description>
IDP-MD06 - InformationURL
<mdui:InformationURL>
, defined in the element <mdui:UIInfo>
, MUST:
- contain the URL of the Information page of the service;
- be available in both Italian and English languages.
For the actual content of the page refer to IDP-FED02.
Example:
<mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL>
<mdui:InformationURL xml:lang="it">https://...pagina di informazioni in italiano...</mdui:InformationURL>
IDP-MD07 - PrivacyStatementURL
<mdui:PrivacyStatementURL>
, defined in the element <mdui:UIInfo>
, MUST:
- contain the URL of the Privacy Policy of the service;
- be available in both Italian and English languages.
For the actual content of the page refer to IDP-FED03.
Example:
<mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL>
<mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL>
IDP-MD08 - Logo
<mdui:Logo>
, defined in the element <mdui:UIInfo>
, MUST:
- contain at least a URL protected by SSL (
https://
) pointing to the logo of the organisation.
It is RECOMMENDED that:
- the logo is in PNG format on transparent background;
- to publish two logos:
- 16x16 pixel (or bigger but respecing the same aspect-ratio)
- 80x60 pixel (or bigger but respecing the same aspect-ratio).
Example:
<mdui:Logo width="16" height="16">https://...favicon_16x16.png...</mdui:Logo>
<mdui:Logo width="80" height="60">https://...logo_80x60.png...</mdui:Logo>
IDP-MD09 - KeyDescriptor
The metadata of the entity MUST define at least one <md:KeyDescriptor>
element with the following requirements:
- with no further attributes or only the attribute
use="signing"
; - contain an X.509 certificate in PEM format as reported into IDP-FED05.
Example:
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MII[..]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
IDP-MD10 - SingleSignOnService
<md:SingleSignOnService>
MUST:
- be defined with the attribute
Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
(required byAuthnRequest
); - be defined with the attribute
Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
(required byAuthnResponse
); - always contain a
Location
attribute valued with a URL protected by SSL (https://
).
Example:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://..."/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://..."/>
IDP-MD11 - SingleLogoutService
<md:SingleLogoutService>
MUST:
- be defined with the attribute
Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
(required byLogoutRequest
); - always contain a
Location
attribute valued with a URL protected by SSL (https://
).
Example:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://..."/>
IDP-MD12 - OrganizationName
<md:OrganizationName>
, defined in the element <md:Organization>
, MUST:
- contain the name of the organisation to which the service belongs;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<md:OrganizationName xml:lang="en">Example University</md:OrganizationName>
<md:OrganizationName xml:lang="it">Università di Esempio</md:OrganizationName>
IDP-MD13 - OrganizationDisplayName
<md:OrganizationDisplayName>
, defined in the element <md:Organization>
, MUST:
- contain the name of the organisation that will be shown in the user inteface;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<md:OrganizationDisplayName xml:lang="en">Example University</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="it">Università di Esempio</md:OrganizationDisplayName>
IDP-MD14 - OrganizationURL
<md:OrganizationURL>
, defined in the element <md:Organization>
, MUST:
- contain the URL of the main site of organisation to which the service belongs;
- be available in both Italian and English languages.
Example:
<md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL>
<md:OrganizationURL xml:lang="it">https://...sito istituzionale in italiano...</md:OrganizationURL>
IDP-MD15 - ContactPerson
The metadata of the entity MUST define at least one <md:ContactPerson>
element with the following requirements:
- contain the e-mail address of the technical contact of the service in the
mailto:
format; - contain the attribute
contactType="technical".
It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).
Example:
<ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson>
Federation (IDP-FED)
The requirements listed below are dictated by IDEM Federation and are intended for Identity Providers.
IDP-FED01 - Data to be released
An Identity Provider in IDEM MUST be able to release the following information:
- a unique, persistent identifier, different for each service and transmissible in one of the following forms:
- within the xml element
<NameID>
with propertyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
if required by a Service Provider in its metadata; - as an attribute named
eduPersonTargetedID
if required by a Service Provider in its metadata within the xml element<md:RequestedAttribute>
.
- within the xml element
- the attribute
eduPersonScopedAffiliation
, which is the affiliation of the user followed by the idpscope
.
Example of idp data released to the Service Provider sp.aai-test.garr.it:
affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
IDP-FED02 - Web page for Information to the users
Every Identity Provider MUST publish a web page in Italian and English language containing:
- a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
- a pointer to the page about the processing of personal data as indicated by
<mdui:PrivacyStatementURL>
(IDP-MD07)
A Web page for Information to the users MAY include the IDEM Logo and a link to the IDEM Web site:
- IDEM Web site: https://www.idem.garr.it
- IDEM Logo: https://idem.garr.it/en/tutti-i-documenti/idem-archivio/banner-e-loghi
IDP-FED03 - Web page about the processing of personal data
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.
As a useful example of document about the processing of personal data, IDEM GARR AAI team has provided a template available in:InformativaDatiPersonaliIdP.
IDP-FED04 - Login page
Every Identity Provider in IDEM MUST deploy a Login page for users containing:
- a pointer to the url included in the IdP metadata tag
<mdui:InformationURL>
and whose content abeys the requirement stated in (IDP-MD06)
It is RECOMMENDED for a Login Web page to contain:
- a pointer to the url included in the IdP metadata tag
<mdui:PrivacyStatementURL>
and whose content abeys the requirement stated in (IDP-MD07)
IDP-FED05 - Requirements for Certificates used in Metadata
Certificates included in Metadata of the entity MUST obey the following properties:
- long-term validity (expiration in 30 years);
- self-signed;
- be valid, not yet expired;
- exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
- use a private key of at least 3072 bit
In any case, Private Key MUST NOT be less than 2048 bit.
Example of Identity Provider Metadata
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">ENG IDP DISPLAYNAME</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">ITA IDP DISPLAYNAME</mdui:DisplayName>
<mdui:Description xml:lang="en">ENG IDP DESCRIPTION</mdui:Description>
<mdui:Description xml:lang="it">ITA IDP DESCRIPTION</mdui:Description>
<mdui:InformationURL xml:lang="en">HTTPS URL ENG INFO PAGE</mdui:InformationURL>
<mdui:InformationURL xml:lang="it">HTTPS URL ITA INFO PAGE</mdui:InformationURL>
<mdui:PrivacyStatementURL xml:lang="en">URL ENG PRIVACY POLICY PAGE</mdui:PrivacyStatementURL>
<mdui:PrivacyStatementURL xml:lang="it">URL ITA PRIVACY POLICY PAGE</mdui:PrivacyStatementURL>
<mdui:Logo width="80" height="60">HTTPS URL LOGO</mdui:Logo>
<mdui:Logo width="16" height="16">HTTPS URL FAVICON</mdui:Logo>
</mdui:UIInfo>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MII...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SLO"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.org/idp/profile/SAML2/POST/SSO"/>
</md:IDPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">ITA IDP ORGANIZATION NAME</md:OrganizationName>
<md:OrganizationName xml:lang="en">ENG IDP ORGANIZATION NAME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">ITA IDP DISPLAYNAME ORGANIZATION</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="en">ENG IDP DISPLAYNAME ORGANIZATION</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">https://example.org/it</md:OrganizationURL>
<md:OrganizationURL xml:lang="en">https://example.org/en</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>EXAMPLE CONTACT NAME</md:GivenName>
<md:SurName>EXAMPLE CONTACT SURNAME</md:SurName>
<md:EmailAddress>mailto:technical.contact@example.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Service Provider
Metadata (SP-MD)
The following requirements are related to the metadata of an Service Provider (SP).
SP-MD01 - validUntil
validUntil
, attribute defined in the element <md:EntityDescriptor>
, MUST be removed along with it's value as it will be replaced by the IDEM Federation.
SP-MD02 - entityID
entityID
, attribute defined in the element <md:EntityDescriptor>
, MUST be a URI with a maximum length of 256 characters.
If the entityID URI is a URL it SHOULD return the entity metadata.
Example:
entityID="https://sp.example.org/shibboleth"
SP-MD03 - DisplayName & ServiceName
<mdui:DisplayName>
, defined in the element <mdui:UIInfo>
, and <md:ServiceName>
, defined in the element <md:AttributeConsumingService>
MUST:
- contain the name of the service that will be displayed to the users. WARNING: the name MUST NOT contain either the reserved words "IDEM" or "eduGAIN";
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<mdui:DisplayName xml:lang="en">Resource provided by Example Organization</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName>
SP-MD04 - Description & ServiceDescription
<mdui:Description>
, defined in the element <mdui:UIInfo>
, and <md:ServiceDescription>
, defined in the element <md:AttributeConsumingService>
MUST:
- contain a bried description of the service;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 1024 characters is not exceed
Example:
<mdui:Description xml:lang="en">The resource allow you to ...</mdui:Description>
<mdui:Description xml:lang="it">La risorsa ti permette di ...</mdui:Description>
SP-MD05 - InformationURL
<mdui:InformationURL>
, defined in the element <mdui:UIInfo>
, MUST:
- contain the URL of the Information page of the service;
- be available in both Italian and English languages.
For the actual content of the page refer to SP-FED02.
Example:
<mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL>
<mdui:InformationURL xml:lang="it">https://...informativa in italiano...</mdui:InformationURL>
SP-MD06 - PrivacyStatementURL
<mdui:PrivacyStatementURL>
, defined in the element <mdui:UIInfo>
, MUST:
- contain the URL of the Privacy Policy of the service;
- be available in both Italian and English languages.
For the actual content of the page refer to SP-FED03.
Example:
<mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL>
<mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL>
SP-MD07 - Logo
<mdui:Logo>
, defined in the element <mdui:UIInfo>
, MUST:
- contain at least a URL protected by SSL (
https://
) pointing to the logo of the organisation.
It is RECOMMENDED that:
- the logo is in PNG format (on transparent background).
- to publish two logos:
- 16x16 pixel (or bigger but respecing the same aspect-ratio)
- 80x60 pixel (or bigger but respecing the same aspect-ratio)
Esempio:
<mdui:Logo width="64" height="64">https://...logo.png</mdui:Logo>
SP-MD08 - KeyDescriptor
The metadata of the entity MUST define at least one <md:KeyDescriptor>
element with the following requirements:
- with no further attributes or only the attribute
use="encryption"
- contain an X.509 certificate in PEM format as reported into SP-FED05;
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MII[..]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
If "Single Logout" is supported by the Service Provider a further <md:KeyDescriptor>
element with attribute use="signing"
MUST be present.
SP-MD09 - RequestedAttribute
<md:RequestedAttribute>
, defined in the element <md:AttributeConsumingService>
, MUST:
- contain the set of SAML attributes required by the resource to work properly
- define attributes that are required to get access to the resourse with the property
isRequired="true"
- define attributes that are desired when accessing the resourse with the property
isRequired="false"
Example:
<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
SP-MD10 - OrganizationName
<md:OrganizationName>
, defined in the element <md:Organization>
, MUST:
- contain the name of the organisation to which the service belongs;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<md:OrganizationName xml:lang="en">Example Organization</md:OrganizationName>
<md:OrganizationName xml:lang="it">Organizzazione di Esempio</md:OrganizationName>
SP-MD11 - OrganizationDisplayName
<md:OrganizationDisplayName>
, defined in the element <md:Organization>
, MUST:
- contain the name of the organisation that will be shown in the user inteface;
- be available in both Italian and English languages.
It is RECOMMENDED that:
- the maximum limit of 256 characters is not exceed
Example:
<md:OrganizationDisplayName xml:lang="en">Resource provided by Example University</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="it">Risorsa erogata da Università di Esempio</md:OrganizationDisplayName>
SP-MD12 - OrganizationURL
<md:OrganizationURL>
, defined in the element <md:Organization>
, MUST:
- contain the URL of the main site of the Organisation to which the service belongs;
- be available in both Italian and English languages.
Example:
<md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL>
<md:OrganizationURL xml:lang="it">https://...sito istituzionalein italiano...</md:OrganizationURL>
SP-MD13 - ContactPerson
The metadata of the entity MUST define at least one <md:ContactPerson>
element with the following requirements:
- contain the e-mail address of the technical contact of the service in the
mailto:
format; - contain the attribute
contactType="technical".
It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).
Example:
<ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson>
Federation (SP-FED)
The requirements listed below are dictated by IDEM Federation and are intended for Service Providers.
SP-FED01 - Data received from IdPs
in IDEM every Service Provider receives by default the following data by every Identity Provider:
- A unique persistent targeted id of the user:
persistent-id
(persistent NameID) (or the attribute eduPersonTargetedID if the Idp cannot release a NameID)
- The scoped affiliation of the user:
affiliation
(eduPersonScopedAffiliation) (take a look to Attributo Affiliazione)
Example of idp data released to sp.aai-test.garr.it:
affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
Any further attribute required to access a Service Provider has to be properly motivated by sending an e-mail to idem-help@garr.it
.
SP-FED02 - Web page for Information to the users
Every Service Provider MUST publish a web page in Italian and English language containing:
- the description of the service
- the intended audience
- the Name of the Organization providing the service
- a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
- a reference/pointer to the page about the processing of personal data as indicated by
<mdui:PrivacyStatementURL>
(SP-MD06), if possible, referenced with the same URL.
SP-FED03 - Web page about the processing of personal data
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.
It is strongly suggested to use REFEDS guidelines for Service Provider:
https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers
SP-FED04 - Login Page / Discovery Service
The access page to a federated resource in IDEM MUST contain:
- the list of eligible IdP coming from IDEM Federation and eduGAIN;
- a reference/pointer to the page about the Information to the users (SP-MD05)
SP-FED05 - Requirements for Certificates used in Metadata
Certificates included in Metadata of the entity MUST obey the following requirements:
- long-term validity (expiration in 30 years);
- self-signed;
- be valid, not yet expired;
- exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
- use a private key of at least 3072 bit
In any case, Private Key MUST NOT be less than 2048 bit.
Example of Service Provider Metadata
<md:EntityDescriptor entityID="https://sp.example.com/shibboleth"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<init:RequestInitiator
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
Location="https://sp.example.com/Shibboleth.sso/Login" />
<idpdisc:DiscoveryResponse
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://sp.example.com/Shibboleth.sso/DS" index="1" />
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">ENG DISPLAY NAME</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">ITA DISPLAY NAME</mdui:DisplayName>
<mdui:Description xml:lang="en">ENG DESCRIPTION</mdui:Description>
<mdui:Description xml:lang="it">ITA DESCRIPTION</mdui:Description>
<mdui:InformationURL xml:lang="en">HTTPS ENG INFORMATION PAGE URL</mdui:InformationURL>
<mdui:InformationURL xml:lang="it">HTTPS ITA INFORMATION PAGE URL</mdui:InformationURL>
<mdui:Logo height="64" width="64">HTTPS RESOURCE LOGO PNG</mdui:Logo>
<mdui:PrivacyStatementURL xml:lang="en">HTTPS ENG PRIVACY POLICY PAGE URL</mdui:PrivacyStatementURL>
<mdui:PrivacyStatementURL xml:lang="it">HTTPS ITA PRIVACY POLICY PAGE URL</mdui:PrivacyStatementURL>
</mdui:UIInfo>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MII...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://sp.example.com/Shibboleth.sso/SLO/Redirect" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.com/Shibboleth.sso/SLO/POST" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.com/Shibboleth.sso/SAML2/POST"
index="1" />
<md:AttributeConsumingService index="1">
<!-- example for the required attribute: mail -->
<md:RequestedAttribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true" />
<!-- example for the desired attribute: eduPersonPrincipalName -->
<md:RequestedAttribute FriendlyName="eppn"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false" />
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">ENG ORGANIZATION NAME</md:OrganizationName>
<md:OrganizationName xml:lang="it">ITA ORGANIZATION NAME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">ENG ORGANIZATION DISPLAY NAME</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="it">ITA ORGANIZATION DISPLAY NAME</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">ENG ORGANIZATION URL</md:OrganizationURL>
<md:OrganizationURL xml:lang="it">ITA ORGANIZATION URL</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:EmailAddress>mailto:technical.contact.mailing.list@example.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
References:
[RFC 2119] Key words for use in RFCs to Indicate Requirement Levels
http://www.rfc-editor.org/rfc/rfc2119.txt
[IDEM-META] IDEM METADATA PROFILE v1.0
https://wiki.idem.garr.it/w/images/8/81/IDEM_METADATA_PROFILE_V1.1-ita-eng.pdf
[SAML2Core] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
[SAML2Bind] Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
[SAML2Meta] Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0
http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
[SAML2MDIOP] SAML V2.0 Metadata Interoperability Profile Version 1.0
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-os.pdf
[SAML2Int] SAML V2.0 Deployment Profile for Federation Interoperability
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
[REFEDS-DISCO] REFEDS - Discovery Best Practice