Differenze tra le versioni di "Technical Profile"

Da WIKI IDEM GARR.
Jump to navigation Jump to search
 
(32 versioni intermedie di 3 utenti non mostrate)
Riga 1: Riga 1:
<big>Versione 1.0.3</big>  
+
<big>Version 1.1.0</big>  
  
<big>31 Agosto 2021</big>
+
<big>19 January 2024</big>
  
===Revisioni===
+
===Revisions===
 
{| class="wikitable"
 
{| class="wikitable"
 
|+
 
|+
Riga 11: Riga 11:
 
!Autore
 
!Autore
 
|-
 
|-
|1.0
+
|1.0.4
|01-06-2021
+
|21-10-2021
|Prima versione completa
+
|Translated from the Italian version
 
|Marco Malavolti
 
|Marco Malavolti
 
Barbara Monticini
 
Barbara Monticini
  
 
Davide Vaghetti
 
Davide Vaghetti
 +
 +
Mario Di Lorenzo
 
|-
 
|-
|1.0.1
+
|1.0.5
|07-06-2021
+
|16-02-2022
|Modifica IDP-MD08 e SP-MD07
+
|IDP-FED03 - Removed Privacy Policy examples
 +
|Davide Vaghetti
 +
|-
 +
|1.0.6
 +
|06-09-2022
 +
|Added links to IDP-FED05 e SP-FED05 into IDP-MD09 & SP-MD08
 
|Marco Malavolti
 
|Marco Malavolti
Barbara Monticini
+
|-
 +
|1.1.0
 +
|19-01-2024
 +
|SEC03 - Ban on using references to SAML v1.x deprecated protocol added
 +
IDP-MD04, IDP-MD12, IDP-MD13, SP-MD03, SP-MD10, SP-MD11 - Added recommendation on maximum 256 character limit
 +
 
 +
IDP-MD05, SP-MD04 - Added recommendation on the maximum limit of 1024 characters
 +
 
 +
IDP-FED02 - Removed the sample references
 +
 
 +
IDP-MD08 - Removed the sample references
 +
 
 +
IDP-MD15, SP-MD13 - Added the prefix specification "mailto:"
  
Davide Vaghetti
+
SP-FED01 - Reference to eduPersonScopedAffiliation specific documentation added
|-
 
|1.0.2
 
|10-06-2021
 
|SEC02 trasformato in raccomandazione dato che SEC01 copre già i casi di chain-issue piu' gravi
 
|Marco Malavolti
 
  
Barbara Monticini
+
SP-FED02 - Added reference to the service provider’s Privacy Policy
  
Davide Vaghetti
+
SP-MD03, SP-MD04 - Added ServiceName and ServiceDescription checked elements
|-
 
|1.0.3
 
|31-08-2021
 
|IDP-MD04 - DisplayName e SP-MD03 - DisplayName: inserito il divieto di utilizzo delle parole "IDEM" ed "eduGAIN" perchè riservate
 
 
|Marco Malavolti
 
|Marco Malavolti
 
Barbara Monticini
 
Barbara Monticini
Riga 69: Riga 79:
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
 +
 +
====SEC03 - No SAML v1====
 +
The entity metadata MUST contain ONLY SAML 2.x protocol references.
 +
 +
[[Profilo Tecnico Operativo#top|[TOP]]]
 +
 
==Identity Provider==
 
==Identity Provider==
 
===Metadata (IDP-MD)===
 
===Metadata (IDP-MD)===
Riga 74: Riga 90:
  
 
====IDP-MD01 - validUntil====
 
====IDP-MD01 - validUntil====
<code>validUntil</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be removed along with it's value as it will be replaced by the IDEM Federation.
+
<code>validUntil</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be removed along with its value as it will be replaced by the IDEM Federation.
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
 +
 
====IDP-MD02 - entityID====
 
====IDP-MD02 - entityID====
<code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum lenght of 256 charaters.
+
<code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum length of 256 characters.
  
If the enttyID URI is a URL it SHOULD return the entity metadata.  
+
If the entityID URI is a URL it SHOULD return the entity metadata.  
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 94: Riga 111:
 
<code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
 
<code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
  
*contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST not contain either the words "IDEM" or "eduGAIN".
+
*contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST NOT contain either the words "IDEM" or "eduGAIN".
 
*be available in both Italian and English languages.
 
*be available in both Italian and English languages.
 +
 +
It is RECOMMENDED that:
 +
 +
*the maximum limit of 256 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 101: Riga 122:
 
<mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName>
 
<mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName>
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 +
 
====IDP-MD05 - Description====
 
====IDP-MD05 - Description====
 
<code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
 
<code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
Riga 106: Riga 128:
 
*contain a brief description of the service;
 
*contain a brief description of the service;
 
*be available in both Italian and English languages.
 
*be available in both Italian and English languages.
 +
 +
It is RECOMMENDED that:
 +
 +
*the maximum limit of 1024 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 117: Riga 143:
 
*be available in both Italian and English languages.
 
*be available in both Italian and English languages.
  
For the actual content of the page refer to [[Profilo_Tecnico_Operativo#IDP-FED02 - Informazioni|IDP-FED02]].
+
For the actual content of the page refer to [[Technical Profile#IDP-FED02 - Web page for Information to the users|IDP-FED02]].
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 129: Riga 155:
 
*be available in both Italian and English languages.
 
*be available in both Italian and English languages.
  
For the actual content of the page refer to [[Profilo_Tecnico_Operativo#IDP-FED03 - Trattamento dati personali|IDP-FED03]].
+
For the actual content of the page refer to [[Technical Profile#IDP-FED03 - Web page about the processing of personal data|IDP-FED03]].
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 144: Riga 170:
 
*the logo is in PNG format on transparent background;
 
*the logo is in PNG format on transparent background;
 
*to publish two logos:
 
*to publish two logos:
**'''16x16 pixel''' (or bigger but respecing the same aspect-ratio) - [https://garr-idp-test.irccs.garr.it/it/favicon.png Example].
+
**'''16x16 pixel''' (or bigger but respecing the same aspect-ratio)
**'''80x60 pixel''' (or bigger but respecing the same aspect-ratio) - [https://garr-idp-test.irccs.garr.it/it/logo.png Example].
+
**'''80x60 pixel''' (or bigger but respecing the same aspect-ratio).
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 154: Riga 180:
 
====IDP-MD09 - KeyDescriptor====
 
====IDP-MD09 - KeyDescriptor====
 
The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements:
 
The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements:
 
*contain an X.509 certificate in PEM format.
 
  
 
*with no further attributes or only the attribute <code>use="signing"</code>;
 
*with no further attributes or only the attribute <code>use="signing"</code>;
 +
*contain an X.509 certificate in PEM format as reported into [[Technical Profile#IDP-FED05%20-%20Requirements%20for%20Certificates%20used%20in%20Metadata|IDP-FED05]].
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 171: Riga 196:
  
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 +
 
====IDP-MD10 - SingleSignOnService====
 
====IDP-MD10 - SingleSignOnService====
 
<code><md:SingleSignOnService></code> MUST:
 
<code><md:SingleSignOnService></code> MUST:
  
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> (for<code>AuthnRequest;</code>
+
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code> (required by <code>AuthnRequest</code>);
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'</nowiki></code> (for <code>AuthnResponse</code>);
+
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'</nowiki></code> (required by <code>AuthnResponse</code>);
 
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>).
 
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>).
  
Riga 183: Riga 209:
  
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 +
 
====IDP-MD11 - SingleLogoutService====
 
====IDP-MD11 - SingleLogoutService====
 
<code><md:SingleLogoutService></code> MUST:
 
<code><md:SingleLogoutService></code> MUST:
  
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code>  (for <code>LogoutRequest</code>);
+
*be defined with the attribute <code>Binding='<nowiki>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'</nowiki></code>  (required by <code>LogoutRequest</code>);
 
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>).
 
*always contain a <code>Location</code> attribute valued with a URL protected by SSL (<code>https://</code>).
  
Riga 193: Riga 220:
  
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 +
 
====IDP-MD12 - OrganizationName====
 
====IDP-MD12 - OrganizationName====
 
<code><md:OrganizationName></code> , defined in the element <code><md:Organization></code>, MUST:
 
<code><md:OrganizationName></code> , defined in the element <code><md:Organization></code>, MUST:
  
 
*contain the name of the organisation to which the service belongs;
 
*contain the name of the organisation to which the service belongs;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
 +
 
 +
*the maximum limit of 256 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 207: Riga 239:
  
 
*contain the name of the organisation that will be shown in the user inteface;
 
*contain the name of the organisation that will be shown in the user inteface;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
 +
 
 +
*the maximum limit of 256 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 217: Riga 253:
  
 
*contain the URL of the main site of organisation to which the service belongs;
 
*contain the URL of the main site of organisation to which the service belongs;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 226: Riga 262:
 
The metadata of the entity MUST define at least one <code><md:ContactPerson></code> element with the following requirements:
 
The metadata of the entity MUST define at least one <code><md:ContactPerson></code> element with the following requirements:
  
*contain the e-mail address of the technical contact of the service;
+
*contain the e-mail address of the technical contact of the service in the <code>mailto:</code> format;
 
*contain the attribute <code>contactType="technical".</code>
 
*contain the attribute <code>contactType="technical".</code>
  
It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).
+
It is RECOMMENDED to use an <u>impersonal</u> e-mail address (for example a mailing-list).
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 235: Riga 271:
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 
===Federation (IDP-FED)===
 
===Federation (IDP-FED)===
I requisiti di seguito elencati sono dettati dalla Federazione e destinati agli Identity Provider.
 
 
 
The requirements listed below are dictated by IDEM Federation and are intended for Identity Providers.
 
The requirements listed below are dictated by IDEM Federation and are intended for Identity Providers.
====IDP-FED01 - Data====
+
====IDP-FED01 - Data to be released====
Un Identity Provider in IDEM DEVE essere in grado di rilasciare le seguenti informazioni:
 
 
 
 
An Identity Provider in IDEM MUST be able to release the following information:
 
An Identity Provider in IDEM MUST be able to release the following information:
  
#un identificativo univoco, persistente, diverso per ogni servizio e trasmissibile in una delle seguenti forme / a unique, persistent identifier, different for each service and transmissible in one of the following forms:
+
#a unique, persistent identifier, different for each service and transmissible in one of the following forms:
#*within the xml element <code><NameID></code> with property  <code>Format="<nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki>"</code> if required by a Service Provider in its metadata / nell'elemento <code><NameID></code> con attributo <code>Format="<nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki>"</code> se indicato nei metadata del  Service Provider;
+
#*within the xml element <code><NameID></code> with property  <code>Format="<nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki>"</code> if required by a Service Provider in its metadata;
#*as an attribute named <code>eduPersonTargetedID</code> if required by a Service Provider in its metadata within the xml element <code><md:RequestedAttribute></code> / nell'attributo <code>eduPersonTargetedID</code> per i Service Provider che lo richiedono nell'elemento <code><md:RequestedAttribute></code>.
+
#*as an attribute named <code>eduPersonTargetedID</code> if required by a Service Provider in its metadata within the xml element <code><md:RequestedAttribute></code> .
#the attribute <code>eduPersonScopedAffiliation</code>, which is the affiliation of the user followed by the idp <code>scope</code>/ ovvero l'affiliazione dell'utente con l'aggiunta dello <code>scope</code>.<br />
+
#the attribute <code>eduPersonScopedAffiliation</code>, which is the affiliation of the user followed by the idp <code>scope</code>.
  
 
''Example of idp data released to the Service Provider [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml">
 
''Example of idp data released to the Service Provider [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml">
Riga 252: Riga 284:
 
persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
 
persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
====IDP-FED02 - Informazioni / Web page for Information to the users====
+
====IDP-FED02 - Web page for Information to the users====
La pagina informativa esposta in lingua <u>italiana</u> e in lingua <u>inglese</u> DEVE contenere:
 
 
 
 
Every Identity Provider MUST publish a web page in Italian and English language containing:
 
Every Identity Provider MUST publish a web page in Italian and English language containing:
  
#un riferimento per il supporto agli utenti (ad esempio un indirizzo di posta, o un web form, ecc.); a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc);
+
#a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
#un collegamento alla pagina sul trattamento dei dati personali; a pointer to the page about the processing of personal data;
+
#a pointer to the page about the processing of personal data as indicated by <code><mdui:PrivacyStatementURL></code> ([[Technical Profile#IDP-MD07 - PrivacyStatementURL|IDP-MD07]])
#il Logo di IDEM e il link al Sito di IDEM. the IDEM Logo and a hyperlink to the IDEM web site.
 
  
''Esempi: Practical examples of Web pages for information to the users:''
+
A Web page for Information to the users MAY include the IDEM Logo and a link to the IDEM Web site:
  
*IT: https://garr-idp-test.irccs.garr.it/it/info.html
+
*IDEM Web site: https://www.idem.garr.it
*EN: https://garr-idp-test.irccs.garr.it/en/info.html
+
*IDEM Logo: https://idem.garr.it/en/tutti-i-documenti/idem-archivio/banner-e-loghi
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
====IDP-FED03 - Trattamento dati personali / Web page about the processing of personal data====
+
====IDP-FED03 - Web page about the processing of personal data====
La pagina sul trattamento dei dati personali DEVE contenere tutte le informazioni previste dagli artt. 13 e 14 del Regolamento UE 679/2016.
 
 
 
 
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.
 
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.
  
A titolo esemplificativo, Il Servizio IDEM GARR AAI rende disponibile il seguente modello: [[InformativaDatiPersonaliIdP|InformativaDatiPersonaliIdP.]]
+
As a useful example of document about the processing of personal data, IDEM GARR AAI team has provided a template available in:[[InformativaDatiPersonaliIdP|InformativaDatiPersonaliIdP.]]
  
As a useful example of document about the processing of personal data, IDEM GARR AAI team has provided a template available in [[InformativaDatiPersonaliIdP|InformativaDatiPersonaliIdP.]]
+
[[#top|[TOP]]]
 
+
====IDP-FED04 - Login page====
''Esempi: Practical examples of Web pages about the processing of personal data:''
+
Every Identity Provider in IDEM MUST deploy a Login page for users containing:
 
 
*IT: https://garr-idp-test.irccs.garr.it/it/privacy.html
 
*EN: https://garr-idp-test.irccs.garr.it/en/privacy.html
 
  
[[#top|[TOP]]]
+
*a pointer to the url included in the IdP metadata tag <code><mdui:InformationURL></code> and whose content abeys the requirement stated in ([[Technical Profile#IDP-MD06 - InformationURL|IDP-MD06]])
====IDP-FED04 - Login / Login page====
 
La pagina di login di un Identity Provider federato in IDEM DEVE contenere:
 
  
Every Identity Provider in IDEM MUST deploy a Login page for users containing:  
+
It is RECOMMENDED for a Login Web page to contain:
  
*il collegamento alla pagina informativa indicata da <code><mdui:InformationURL></code> ([[Profilo_Tecnico_Operativo#IDP-MD06%20-%20InformationURL|IDP-MD06]]); a pointer to the url included in the IdP metadata tag <code><mdui:InformationURL></code> and whose content abeys the requirement stated in ([[Profilo_Tecnico_Operativo#IDP-MD06%20-%20InformationURL|IDP-MD06]]);
+
*a pointer to the url included in the IdP metadata tag <code><mdui:PrivacyStatementURL></code> and whose content abeys the requirement stated in ([[Technical Profile#IDP-MD07 - PrivacyStatementURL|IDP-MD07]])
*il collegamento alla pagina sul trattamento dei dati personali indicata da <code><mdui:PrivacyStatementURL></code> ([[Profilo_Tecnico_Operativo#IDP-MD07%20-%20PrivacyStatementURL|IDP-MD07]]); a pointer to the url included in the IdP metadata tag <code><mdui:PrivacyStatementURL></code> and whose content abeys the requirement stated in ([[Profilo_Tecnico_Operativo#IDP-MD07%20-%20PrivacyStatementURL|IDP-MD07]]);
 
*il logo di IDEM ([https://idem.garr.it/tutti-i-documenti/idem-archivio/banner-e-loghi Logo IDEM]); the IDEM Federation Logo ([https://idem.garr.it/tutti-i-documenti/idem-archivio/banner-e-loghi Logo IDEM]);
 
*il riferimento al <u>Contatto Tecnico</u> o al <u>Contatto di Supporto</u> per la risoluzione delle problematiche legate all'accesso alle risorse da parte degli utenti. a reference to the Support and Technical Contacts that a user can refer to in case of problems and issues.
 
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
====IDP-FED05 - Certificati metadata / Properties related to the Certificates used in Metadata====
+
====IDP-FED05 - Requirements for Certificates used in Metadata====
Il certificato o i certificati utilizzati per <u>firmare e cifrare</u> le asserzioni dell'IdP DOVREBBERO essere:
 
 
 
 
Certificates included in Metadata of the entity MUST obey the following properties:
 
Certificates included in Metadata of the entity MUST obey the following properties:
  
*di lunga durata (30 anni); long-term validity (expiration in more than x years);
+
*long-term validity (expiration in 30 years);
*auto firmati (self-signed); self-signed;
+
*self-signed;
*validi (non scaduti); validity not yet expired;
+
*be valid, not yet expired;
*non firmati con algoritmi di firma basati su MD5 o SHA1; exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
+
*exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
*corrispondenti ad una chiave privata di almeno 3072 bit. use a private key of at least 3072 bit
+
*use a private key of at least 3072 bit
  
In ogni caso la chiave privata corrispondente NON DEVE avere una lunghezza minore di 2048 bit.
+
In any case, Private Key MUST NOT be less than 2048 bit.
 
 
Private Key MUST NOT be less than 2048 bit.
 
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
===Esempio IdP Metadata / Practical Example of IdP Metadata===
+
===Example of Identity Provider Metadata===
 
<syntaxhighlight lang="xml">
 
<syntaxhighlight lang="xml">
 
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth">
 
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth">
Riga 367: Riga 382:
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
 
====SP-MD02 - entityID====
 
====SP-MD02 - entityID====
<code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum lenght of 256 charaters.
+
<code>entityID</code>, attribute defined in the element <code><md:EntityDescriptor></code>, MUST be a URI with a maximum length of 256 characters.
  
If the enttyID URI is a URL it SHOULD return the entity metadata.
+
If the entityID URI is a URL it SHOULD return the entity metadata.
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
 
entityID="https://sp.example.org/shibboleth"
 
entityID="https://sp.example.org/shibboleth"
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
====SP-MD03 - DisplayName====
+
====SP-MD03 - DisplayName & ServiceName====
<code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
+
<code><mdui:DisplayName></code>, defined in the element <code><mdui:UIInfo></code>, and <code><md:ServiceName></code>, defined in the element <code><md:AttributeConsumingService></code> MUST:
 +
 
 +
*contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST NOT contain either the reserved words "IDEM" or "eduGAIN";
 +
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
  
*contain the name of the service that will be displayed to the users. '''WARNING''': the name MUST not contain either the words "IDEM" or "eduGAIN";
+
*the maximum limit of 256 characters is not exceed
*be available in both Italian and English languages.
 
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 384: Riga 403:
 
<mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName>
 
<mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName>
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
====SP-MD04 - Description====
+
====SP-MD04 - Description & ServiceDescription====
<code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, MUST:
+
<code><mdui:Description></code>, defined in the element <code><mdui:UIInfo></code>, and <code><md:ServiceDescription></code>, defined in the element <code><md:AttributeConsumingService></code> MUST:
  
 
*contain a bried description of the service;
 
*contain a bried description of the service;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
 +
 
 +
*the maximum limit of 1024 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 401: Riga 424:
 
*be available in both Italian and English languages.
 
*be available in both Italian and English languages.
  
For the actual content of the page refer to [[Profilo_Tecnico_Operativo#SP-FED02%20-%20Informazioni|SP-FED02]].
+
For the actual content of the page refer to [[Technical Profile#SP-FED02 - Informazioni|SP-FED02]].
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 411: Riga 434:
  
 
*contain the URL of the Privacy Policy of the service;
 
*contain the URL of the Privacy Policy of the service;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
  
For the actual content of the page refer to [[Profilo_Tecnico_Operativo#SP-FED03%20-%20Trattamento%20dati|SP-FED03]].
+
For the actual content of the page refer to [[Technical Profile#SP-FED03 - Trattamento dati|SP-FED03]].
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 426: Riga 449:
 
It is RECOMMENDED that:
 
It is RECOMMENDED that:
  
*the logo is in PNG format on transparent background.
+
*the logo is in '''PNG''' format (on transparent background).
  
 
*to publish two logos:
 
*to publish two logos:
**'''16x16 pixel''' (or bigger but respecing the same aspect-ratio) - [https://garr-idp-test.irccs.garr.it/it/favicon.png Example]
+
**'''16x16 pixel''' (or bigger but respecing the same aspect-ratio)
**'''80x60 pixel''' (or bigger but respecing the same aspect-ratio) - [https://garr-idp-test.irccs.garr.it/it/logo.png Example]
+
**'''80x60 pixel''' (or bigger but respecing the same aspect-ratio)
  
 
''Esempio:''<syntaxhighlight lang="xml">
 
''Esempio:''<syntaxhighlight lang="xml">
Riga 438: Riga 461:
 
The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements:
 
The metadata of the entity MUST define at least one <code><md:KeyDescriptor></code> element with the following requirements:
  
*with no further attributes or only the attribute <code>use="signing"</code>;
+
*with no further attributes or only the attribute <code>use="encryption"</code>
*contain an X.509 certificate in PEM format.
+
*contain an X.509 certificate in PEM format as reported into [[Technical Profile#SP-FED05%20-%20Requirements%20for%20Certificates%20used%20in%20Metadata|SP-FED05;]]
 
<syntaxhighlight lang="xml">
 
<syntaxhighlight lang="xml">
 
<md:KeyDescriptor use="encryption">
 
<md:KeyDescriptor use="encryption">
Riga 456: Riga 479:
 
<code><md:RequestedAttribute></code> , defined in the element <code><md:AttributeConsumingService></code>, MUST:
 
<code><md:RequestedAttribute></code> , defined in the element <code><md:AttributeConsumingService></code>, MUST:
  
*contain the set of SAML attributes required by the resource to work properly; contenere tutti e soli gli attributi SAML richiesti dalla risorsa;
+
*contain the set of SAML attributes required by the resource to work properly
 
*define attributes that are required to get access to the resourse with the property  <code>isRequired="true"</code>
 
*define attributes that are required to get access to the resourse with the property  <code>isRequired="true"</code>
 
*define attributes that are desired when accessing the resourse with the property <code>isRequired="false"</code>
 
*define attributes that are desired when accessing the resourse with the property <code>isRequired="false"</code>
Riga 469: Riga 492:
  
 
*contain the name of the organisation to which the service belongs;
 
*contain the name of the organisation to which the service belongs;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
 +
 
 +
*the maximum limit of 256 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 479: Riga 506:
  
 
*contain the name of the organisation that will be shown in the user inteface;
 
*contain the name of the organisation that will be shown in the user inteface;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
 +
 
 +
It is RECOMMENDED that:
 +
 
 +
*the maximum limit of 256 characters is not exceed
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 489: Riga 520:
  
 
*contain the URL of the main site of the Organisation to which the service belongs;
 
*contain the URL of the main site of the Organisation to which the service belongs;
*be available in both Italian and English languages.
+
*be available in both <u>Italian</u> and <u>English</u> languages.
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 496: Riga 527:
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 
====SP-MD13 - ContactPerson====
 
====SP-MD13 - ContactPerson====
The metadata of the entity MUST define at least one <code><md:ContactPerson></code> element with the following requirements:
+
The metadata of the entity MUST define <u>at least</u> one <code><md:ContactPerson></code> element with the following requirements:
  
*contain the e-mail address of the technical contact of the service;
+
*contain the e-mail address of the technical contact of the service in the <code>mailto:</code> format;
 
*contain the attribute <code>contactType="technical".</code>
 
*contain the attribute <code>contactType="technical".</code>
  
It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).
+
It is RECOMMENDED to use an <u>impersonal</u> e-mail address (for example a mailing-list).
  
 
''Example:''<syntaxhighlight lang="xml">
 
''Example:''<syntaxhighlight lang="xml">
Riga 507: Riga 538:
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
 
===Federation (SP-FED)===
 
===Federation (SP-FED)===
I requisiti di seguito elencati sono dettate dalla Federazione e destinate ai Service Provider.
+
The requirements listed below are dictated by IDEM Federation and are intended for Service Providers.
====SP-FED01 - Data====
+
====SP-FED01 - Data received from IdPs====
un Service Provider in IDEM riceve ''automaticamente'' le seguenti informazioni:
+
in IDEM every Service Provider receives ''by default'' the following data by every Identity Provider:
  
#Un identificativo univoco persistente e targhettizzato dell'utente:
+
#A unique persistent targeted id of the user:
#*<code>persistent-id</code> '''(persistent NameID)'''  (o ''eduPersonTargetedID'' se non è possibile rilasciarlo)
+
#*<code>persistent-id</code> '''(persistent NameID)'''  (or the attribute ''eduPersonTargetedID'' if the Idp cannot release a NameID)
#L'affiliazione dell'utente con scopo:
+
#The scoped affiliation of the user:
#*<code>affiliation</code> '''(eduPersonScopedAffiliation)'''
+
#*<code>affiliation</code> '''(eduPersonScopedAffiliation)''' (take a look to [[Attributo Affiliazione]])
  
''Esempio con [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml">
+
''Example of idp data released to [https://sp.aai-test.garr.it/secure sp.aai-test.garr.it]:''<syntaxhighlight lang="xml">
 
affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
 
affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
 
persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
 
persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=
  
</syntaxhighlight><u>Ogni informazione aggiuntiva richiesta</u> per l'utilizzo della/e risorsa/e protetta/e dal Service Provider <u>va motivata adeguatamente</u> via mail a <code>idem-help@garr.it</code>.
+
</syntaxhighlight><u>Any further attribute required to access</u> a Service Provider has to be properly motivated by sending an e-mail to <code>idem-help@garr.it</code>.
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
====SP-FED02 - Informazioni====
+
====SP-FED02 - Web page for Information to the users====
La pagina informativa esposta in lingua <u>italiana</u> e in lingua <u>inglese</u> DEVE contenere:
+
Every Service Provider MUST publish a web page in Italian and English language containing:
  
#la descrizione del servizio;
+
#the description of the service
#il pubblico a cui si rivolge il servizio;
+
#the intended audience
#la denominazione dell'organizzazione che lo gestisce;
+
#the Name of the Organization providing the service
#il riferimento al supporto utenti;
+
#a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
#il collegamento alla pagina sul trattamento dei dati personali.
+
#a reference/pointer to the page about the processing of personal data as indicated by <code><mdui:PrivacyStatementURL></code> ([[Technical Profile#SP-MD06 - PrivacyStatementURL|SP-MD06]]), if possible, referenced with the same URL.
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
====SP-FED03 - Trattamento dati====
+
====SP-FED03 - Web page about the processing of personal data====
La pagina sul trattamento dei dati personali DEVE contenere tutte le informazioni previste dagli artt. 13 e 14 del Regolamento UE 679/2016.
+
A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.
  
Per la stesura della privacy policy IDEM suggerisce di seguire le linee guida di REFEDS:
+
It is strongly suggested to use REFEDS guidelines for Service Provider:
  
 
https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers
 
https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers
Riga 542: Riga 573:
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
 
====SP-FED04 - Login Page / Discovery Service====
 
====SP-FED04 - Login Page / Discovery Service====
La pagina di accesso ad una risorsa federata in IDEM DEVE contenere:
+
The access page to a federated resource in IDEM MUST contain:
  
*l'elenco degli IdP abilitati provenienti da IDEM ed eduGAIN;
+
*the list of eligible IdP coming from IDEM Federation and eduGAIN;
*un riferimento alla pagina informativa del servizio ([[Profilo Tecnico Operativo#SP-MD05 - InformationURL|SP-MD05]])
+
*a reference/pointer to the page about the Information to the users ([[Technical Profile#SP-MD05 - InformationURL|SP-MD05]])
  
Il Servizio suggerisce di consultare le linee guida ''REFEDS Best Practices'' per l'implementazione del login federato'':'' https://discovery.refeds.org/
+
It is strongly suggested to follow ''REFEDS Best Practices'' when implementing federated access to a resource'':'' https://discovery.refeds.org/
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
====SP-FED05 - Certificati metadata====
+
====SP-FED05 - Requirements for Certificates used in Metadata====
Il certificato o i certificati utilizzati per firmare e cifrare le asserzioni del SP DOVREBBERO essere:
+
Certificates included in Metadata of the entity MUST obey the following requirements:
  
*di lunga durata (30 anni);
+
*long-term validity (expiration in 30 years);
*auto firmati (self-signed);
+
*self-signed;
*validi (non scaduti);
+
*be valid, not yet expired;
*non firmati con algoritmi di firma basati su MD5 o SHA1;
+
*exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
*corrispondenti ad una chiave privata di almeno 3072 bit.
+
*use a private key of at least 3072 bit
  
In ogni caso la chiave privata corrispondente NON DEVE avere una lunghezza minore di 2048 bit.
+
In any case, Private Key MUST NOT be less than 2048 bit.
  
 
[[#top|[TOP]]]
 
[[#top|[TOP]]]
===Esempio Metadata Service Provider===
+
===Example of Service Provider Metadata===
 
<syntaxhighlight lang="xml">
 
<syntaxhighlight lang="xml">
 
<md:EntityDescriptor entityID="https://sp.example.com/shibboleth"
 
<md:EntityDescriptor entityID="https://sp.example.com/shibboleth"
Riga 637: Riga 668:
 
</syntaxhighlight>[[#top|[TOP]]]
 
</syntaxhighlight>[[#top|[TOP]]]
  
===Riferences:===
+
===References:===
 
[RFC 2119]  Key words for use in RFCs to Indicate Requirement Levels
 
[RFC 2119]  Key words for use in RFCs to Indicate Requirement Levels
  

Versione attuale delle 14:14, 22 gen 2024

Version 1.1.0

19 January 2024

Revisions

Versione Data Descrizione Autore
1.0.4 21-10-2021 Translated from the Italian version Marco Malavolti

Barbara Monticini

Davide Vaghetti

Mario Di Lorenzo

1.0.5 16-02-2022 IDP-FED03 - Removed Privacy Policy examples Davide Vaghetti
1.0.6 06-09-2022 Added links to IDP-FED05 e SP-FED05 into IDP-MD09 & SP-MD08 Marco Malavolti
1.1.0 19-01-2024 SEC03 - Ban on using references to SAML v1.x deprecated protocol added

IDP-MD04, IDP-MD12, IDP-MD13, SP-MD03, SP-MD10, SP-MD11 - Added recommendation on maximum 256 character limit

IDP-MD05, SP-MD04 - Added recommendation on the maximum limit of 1024 characters

IDP-FED02 - Removed the sample references

IDP-MD08 - Removed the sample references

IDP-MD15, SP-MD13 - Added the prefix specification "mailto:"

SP-FED01 - Reference to eduPersonScopedAffiliation specific documentation added

SP-FED02 - Added reference to the service provider’s Privacy Policy

SP-MD03, SP-MD04 - Added ServiceName and ServiceDescription checked elements

Marco Malavolti

Barbara Monticini

Davide Vaghetti

Mario Di Lorenzo

Indice

Technical Profile for the entities of the IDEM Federation

The Technical Profile defines all the requirements for an entity to be registered in the Italian Identity Federation IDEM GARR AAI.

Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in [RFC2119].

[TOP]

Security (SEC) - Identity Provider & Service Provider

The following requirements are related to the SSL certificate used for the HTTPS interface of the service. They are not to be applied to the certificates used by Identity Providers and Service Providers to sign and encrypt the assertions.

SEC01 - SSL robustness level

The SSL certificate used on the HTTPS port of the service MUST report at least a B grade on SSL Labs: https://www.ssllabs.com/ssltest/

[TOP]

SEC02 - Chain issue

The SSL certificate used on the HTTPS port of the service SHOULD be free of "Chain issues" --- check with SSL Labs: https://www.ssllabs.com/ssltest/

[TOP]

SEC03 - No SAML v1

The entity metadata MUST contain ONLY SAML 2.x protocol references.

[TOP]

Identity Provider

Metadata (IDP-MD)

The following requirements are related to the metadata of an Identity Provider (IDP),

IDP-MD01 - validUntil

validUntil, attribute defined in the element <md:EntityDescriptor>, MUST be removed along with its value as it will be replaced by the IDEM Federation.

[TOP]

IDP-MD02 - entityID

entityID, attribute defined in the element <md:EntityDescriptor>, MUST be a URI with a maximum length of 256 characters.

If the entityID URI is a URL it SHOULD return the entity metadata.

Example:

entityID="https://idp.example.org/idp/shibboleth"

[TOP]

IDP-MD03 - Scope

<shibmd:Scope>, defined in the element <md:Extension>, MUST contain domain value controlled by the Organisation (verifications will be performed with WHOIS).

Example:

<shibmd:Scope>example.org</shibmd:Scope>

[TOP]

IDP-MD04 - DisplayName

<mdui:DisplayName>, defined in the element <mdui:UIInfo>, MUST:

  • contain the name of the service that will be displayed to the users. WARNING: the name MUST NOT contain either the words "IDEM" or "eduGAIN".
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<mdui:DisplayName xml:lang="en">Example University</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">Università di Esempio</mdui:DisplayName>

[TOP]

IDP-MD05 - Description

<mdui:Description>, defined in the element <mdui:UIInfo>, MUST:

  • contain a brief description of the service;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 1024 characters is not exceed

Example:

<mdui:Description xml:lang="en">Identity provider for Example University user</mdui:Description> 
<mdui:Description xml:lang="it">Identity provider per gli utenti di Università di Esempio</mdui:Description>

[TOP]

IDP-MD06 - InformationURL

<mdui:InformationURL>, defined in the element <mdui:UIInfo>, MUST:

  • contain the URL of the Information page of the service;
  • be available in both Italian and English languages.

For the actual content of the page refer to IDP-FED02.

Example:

<mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL> 
<mdui:InformationURL xml:lang="it">https://...pagina di informazioni in italiano...</mdui:InformationURL>

[TOP]

IDP-MD07 - PrivacyStatementURL

<mdui:PrivacyStatementURL>, defined in the element <mdui:UIInfo>, MUST:

  • contain the URL of the Privacy Policy of the service;
  • be available in both Italian and English languages.

For the actual content of the page refer to IDP-FED03.

Example:

<mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL>  
<mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL>

[TOP]

<mdui:Logo>, defined in the element <mdui:UIInfo>, MUST:

  • contain at least a URL protected by SSL (https://) pointing to the logo of the organisation.

It is RECOMMENDED that:

  • the logo is in PNG format on transparent background;
  • to publish two logos:
    • 16x16 pixel (or bigger but respecing the same aspect-ratio)
    • 80x60 pixel (or bigger but respecing the same aspect-ratio).

Example:

<mdui:Logo width="16" height="16">https://...favicon_16x16.png...</mdui:Logo>
<mdui:Logo width="80" height="60">https://...logo_80x60.png...</mdui:Logo>

[TOP]

IDP-MD09 - KeyDescriptor

The metadata of the entity MUST define at least one <md:KeyDescriptor> element with the following requirements:

  • with no further attributes or only the attribute use="signing";
  • contain an X.509 certificate in PEM format as reported into IDP-FED05.

Example:

<md:KeyDescriptor use="signing">
   <ds:KeyInfo>
      <ds:X509Data>
         <ds:X509Certificate>
         MII[..]
         </ds:X509Certificate>
      </ds:X509Data>
   </ds:KeyInfo>
</md:KeyDescriptor>

[TOP]

IDP-MD10 - SingleSignOnService

<md:SingleSignOnService> MUST:

  • be defined with the attribute Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' (required by AuthnRequest);
  • be defined with the attribute Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' (required by AuthnResponse);
  • always contain a Location attribute valued with a URL protected by SSL (https://).

Example:

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://..."/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://..."/>

[TOP]

IDP-MD11 - SingleLogoutService

<md:SingleLogoutService> MUST:

  • be defined with the attribute Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' (required by LogoutRequest);
  • always contain a Location attribute valued with a URL protected by SSL (https://).

Example:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://..."/>

[TOP]

IDP-MD12 - OrganizationName

<md:OrganizationName> , defined in the element <md:Organization>, MUST:

  • contain the name of the organisation to which the service belongs;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<md:OrganizationName xml:lang="en">Example University</md:OrganizationName> 
<md:OrganizationName xml:lang="it">Università di Esempio</md:OrganizationName>

[TOP]

IDP-MD13 - OrganizationDisplayName

<md:OrganizationDisplayName> , defined in the element <md:Organization>, MUST:

  • contain the name of the organisation that will be shown in the user inteface;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<md:OrganizationDisplayName xml:lang="en">Example University</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="it">Università di Esempio</md:OrganizationDisplayName>

[TOP]

IDP-MD14 - OrganizationURL

<md:OrganizationURL>, defined in the element <md:Organization>, MUST:

  • contain the URL of the main site of organisation to which the service belongs;
  • be available in both Italian and English languages.

Example:

<md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL> 
<md:OrganizationURL xml:lang="it">https://...sito istituzionale in italiano...</md:OrganizationURL>

[TOP]

IDP-MD15 - ContactPerson

The metadata of the entity MUST define at least one <md:ContactPerson> element with the following requirements:

  • contain the e-mail address of the technical contact of the service in the mailto: format;
  • contain the attribute contactType="technical".

It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).

Example:

<ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson>

[TOP]

Federation (IDP-FED)

The requirements listed below are dictated by IDEM Federation and are intended for Identity Providers.

IDP-FED01 - Data to be released

An Identity Provider in IDEM MUST be able to release the following information:

  1. a unique, persistent identifier, different for each service and transmissible in one of the following forms:
    • within the xml element <NameID> with property Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" if required by a Service Provider in its metadata;
    • as an attribute named eduPersonTargetedID if required by a Service Provider in its metadata within the xml element <md:RequestedAttribute> .
  2. the attribute eduPersonScopedAffiliation, which is the affiliation of the user followed by the idp scope.

Example of idp data released to the Service Provider sp.aai-test.garr.it:

affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
persistent = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=

[TOP]

IDP-FED02 - Web page for Information to the users

Every Identity Provider MUST publish a web page in Italian and English language containing:

  1. a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
  2. a pointer to the page about the processing of personal data as indicated by <mdui:PrivacyStatementURL> (IDP-MD07)

A Web page for Information to the users MAY include the IDEM Logo and a link to the IDEM Web site:

[TOP]

IDP-FED03 - Web page about the processing of personal data

A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.

As a useful example of document about the processing of personal data, IDEM GARR AAI team has provided a template available in:InformativaDatiPersonaliIdP.

[TOP]

IDP-FED04 - Login page

Every Identity Provider in IDEM MUST deploy a Login page for users containing:

  • a pointer to the url included in the IdP metadata tag <mdui:InformationURL> and whose content abeys the requirement stated in (IDP-MD06)

It is RECOMMENDED for a Login Web page to contain:

  • a pointer to the url included in the IdP metadata tag <mdui:PrivacyStatementURL> and whose content abeys the requirement stated in (IDP-MD07)

[TOP]

IDP-FED05 - Requirements for Certificates used in Metadata

Certificates included in Metadata of the entity MUST obey the following properties:

  • long-term validity (expiration in 30 years);
  • self-signed;
  • be valid, not yet expired;
  • exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
  • use a private key of at least 3072 bit

In any case, Private Key MUST NOT be less than 2048 bit.

[TOP]

Example of Identity Provider Metadata

<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.example.org/idp/shibboleth">
 <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <md:Extensions>
   <shibmd:Scope regexp="false">example.org</shibmd:Scope>
   <mdui:UIInfo>
    <mdui:DisplayName xml:lang="en">ENG IDP DISPLAYNAME</mdui:DisplayName>
    <mdui:DisplayName xml:lang="it">ITA IDP DISPLAYNAME</mdui:DisplayName>
    <mdui:Description xml:lang="en">ENG IDP DESCRIPTION</mdui:Description>
    <mdui:Description xml:lang="it">ITA IDP DESCRIPTION</mdui:Description>
    <mdui:InformationURL xml:lang="en">HTTPS URL ENG INFO PAGE</mdui:InformationURL>
    <mdui:InformationURL xml:lang="it">HTTPS URL ITA INFO PAGE</mdui:InformationURL>
    <mdui:PrivacyStatementURL xml:lang="en">URL ENG PRIVACY POLICY PAGE</mdui:PrivacyStatementURL>
    <mdui:PrivacyStatementURL xml:lang="it">URL ITA PRIVACY POLICY PAGE</mdui:PrivacyStatementURL>
    <mdui:Logo width="80" height="60">HTTPS URL LOGO</mdui:Logo>
    <mdui:Logo width="16" height="16">HTTPS URL FAVICON</mdui:Logo>
   </mdui:UIInfo>
  </md:Extensions>
  <md:KeyDescriptor use="signing">
   <ds:KeyInfo>
    <ds:X509Data>
     <ds:X509Certificate>
        MII...
     </ds:X509Certificate>
    </ds:X509Data>
   </ds:KeyInfo>
  </md:KeyDescriptor>
  <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SLO"/>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"/>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.org/idp/profile/SAML2/POST/SSO"/>
 </md:IDPSSODescriptor>
 <md:Organization>
  <md:OrganizationName xml:lang="it">ITA IDP ORGANIZATION NAME</md:OrganizationName>
  <md:OrganizationName xml:lang="en">ENG IDP ORGANIZATION NAME</md:OrganizationName>
  <md:OrganizationDisplayName xml:lang="it">ITA IDP DISPLAYNAME ORGANIZATION</md:OrganizationDisplayName>
  <md:OrganizationDisplayName xml:lang="en">ENG IDP DISPLAYNAME ORGANIZATION</md:OrganizationDisplayName>
  <md:OrganizationURL xml:lang="it">https://example.org/it</md:OrganizationURL>
  <md:OrganizationURL xml:lang="en">https://example.org/en</md:OrganizationURL>
 </md:Organization>
 <md:ContactPerson contactType="technical">
  <md:GivenName>EXAMPLE CONTACT NAME</md:GivenName>
  <md:SurName>EXAMPLE CONTACT SURNAME</md:SurName>
  <md:EmailAddress>mailto:technical.contact@example.org</md:EmailAddress>
 </md:ContactPerson>
</md:EntityDescriptor>

[TOP]

Service Provider

Metadata (SP-MD)

The following requirements are related to the metadata of an Service Provider (SP).

SP-MD01 - validUntil

validUntil, attribute defined in the element <md:EntityDescriptor>, MUST be removed along with it's value as it will be replaced by the IDEM Federation.

[TOP]

SP-MD02 - entityID

entityID, attribute defined in the element <md:EntityDescriptor>, MUST be a URI with a maximum length of 256 characters.

If the entityID URI is a URL it SHOULD return the entity metadata.

Example:

entityID="https://sp.example.org/shibboleth"

[TOP]

SP-MD03 - DisplayName & ServiceName

<mdui:DisplayName>, defined in the element <mdui:UIInfo>, and <md:ServiceName>, defined in the element <md:AttributeConsumingService> MUST:

  • contain the name of the service that will be displayed to the users. WARNING: the name MUST NOT contain either the reserved words "IDEM" or "eduGAIN";
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<mdui:DisplayName xml:lang="en">Resource provided by Example Organization</mdui:DisplayName>
<mdui:DisplayName xml:lang="it">Risorsa erogata da Organizzazione di Esempio</mdui:DisplayName>

[TOP]

SP-MD04 - Description & ServiceDescription

<mdui:Description>, defined in the element <mdui:UIInfo>, and <md:ServiceDescription>, defined in the element <md:AttributeConsumingService> MUST:

  • contain a bried description of the service;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 1024 characters is not exceed

Example:

<mdui:Description xml:lang="en">The resource allow you to ...</mdui:Description> 
<mdui:Description xml:lang="it">La risorsa ti permette di ...</mdui:Description>

[TOP]

SP-MD05 - InformationURL

<mdui:InformationURL>, defined in the element <mdui:UIInfo>, MUST:

  • contain the URL of the Information page of the service;
  • be available in both Italian and English languages.

For the actual content of the page refer to SP-FED02.

Example:

<mdui:InformationURL xml:lang="en">https://...info page in english...</mdui:InformationURL> 
<mdui:InformationURL xml:lang="it">https://...informativa in italiano...</mdui:InformationURL>

[TOP]

SP-MD06 - PrivacyStatementURL

<mdui:PrivacyStatementURL>, defined in the element <mdui:UIInfo>, MUST:

  • contain the URL of the Privacy Policy of the service;
  • be available in both Italian and English languages.

For the actual content of the page refer to SP-FED03.

Example:

<mdui:PrivacyStatementURL xml:lang="en">https://...privacy policy in english...</mdui:PrivacyStatementURL>  
<mdui:PrivacyStatementURL xml:lang="it">https://...privacy policy in italiano...</mdui:PrivacyStatementURL>

[TOP]

<mdui:Logo>, defined in the element <mdui:UIInfo>, MUST:

  • contain at least a URL protected by SSL (https://) pointing to the logo of the organisation.

It is RECOMMENDED that:

  • the logo is in PNG format (on transparent background).
  • to publish two logos:
    • 16x16 pixel (or bigger but respecing the same aspect-ratio)
    • 80x60 pixel (or bigger but respecing the same aspect-ratio)

Esempio:

<mdui:Logo width="64" height="64">https://...logo.png</mdui:Logo>

[TOP]

SP-MD08 - KeyDescriptor

The metadata of the entity MUST define at least one <md:KeyDescriptor> element with the following requirements:

  • with no further attributes or only the attribute use="encryption"
  • contain an X.509 certificate in PEM format as reported into SP-FED05;
<md:KeyDescriptor use="encryption">
   <ds:KeyInfo> 
      <ds:X509Data> 
         <ds:X509Certificate>
            MII[..]
         </ds:X509Certificate>
      </ds:X509Data>
   </ds:KeyInfo>
</md:KeyDescriptor>

If "Single Logout" is supported by the Service Provider a further <md:KeyDescriptor> element with attribute use="signing" MUST be present.

[TOP]

SP-MD09 - RequestedAttribute

<md:RequestedAttribute> , defined in the element <md:AttributeConsumingService>, MUST:

  • contain the set of SAML attributes required by the resource to work properly
  • define attributes that are required to get access to the resourse with the property isRequired="true"
  • define attributes that are desired when accessing the resourse with the property isRequired="false"

Example:

<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>

[TOP]

SP-MD10 - OrganizationName

<md:OrganizationName> , defined in the element <md:Organization>, MUST:

  • contain the name of the organisation to which the service belongs;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<md:OrganizationName xml:lang="en">Example Organization</md:OrganizationName> 
<md:OrganizationName xml:lang="it">Organizzazione di Esempio</md:OrganizationName>

[TOP]

SP-MD11 - OrganizationDisplayName

<md:OrganizationDisplayName> , defined in the element <md:Organization>, MUST:

  • contain the name of the organisation that will be shown in the user inteface;
  • be available in both Italian and English languages.

It is RECOMMENDED that:

  • the maximum limit of 256 characters is not exceed

Example:

<md:OrganizationDisplayName xml:lang="en">Resource provided by Example University</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="it">Risorsa erogata da Università di Esempio</md:OrganizationDisplayName>

[TOP]

SP-MD12 - OrganizationURL

<md:OrganizationURL>, defined in the element <md:Organization>, MUST:

  • contain the URL of the main site of the Organisation to which the service belongs;
  • be available in both Italian and English languages.

Example:

<md:OrganizationURL xml:lang="en">https://...institutional site in english...</md:OrganizationURL> 
<md:OrganizationURL xml:lang="it">https://...sito istituzionalein italiano...</md:OrganizationURL>

[TOP]

SP-MD13 - ContactPerson

The metadata of the entity MUST define at least one <md:ContactPerson> element with the following requirements:

  • contain the e-mail address of the technical contact of the service in the mailto: format;
  • contain the attribute contactType="technical".

It is RECOMMENDED to use an impersonal e-mail address (for example a mailing-list).

Example:

<ContactPerson contactType="technical">mailto:mailing-list@domain</md:ContactPerson>

[TOP]

Federation (SP-FED)

The requirements listed below are dictated by IDEM Federation and are intended for Service Providers.

SP-FED01 - Data received from IdPs

in IDEM every Service Provider receives by default the following data by every Identity Provider:

  1. A unique persistent targeted id of the user:
    • persistent-id (persistent NameID) (or the attribute eduPersonTargetedID if the Idp cannot release a NameID)
  2. The scoped affiliation of the user:

Example of idp data released to sp.aai-test.garr.it:

affiliation = member@aai-test.garr.it;staff@aai-test.garr.it
persistent-id = https://garr-idp-test.irccs.garr.it/idp/shibboleth!https://sp.aai-test.garr.it/shibboleth!eYfN....Q1rU=

Any further attribute required to access a Service Provider has to be properly motivated by sending an e-mail to idem-help@garr.it.

[TOP]

SP-FED02 - Web page for Information to the users

Every Service Provider MUST publish a web page in Italian and English language containing:

  1. the description of the service
  2. the intended audience
  3. the Name of the Organization providing the service
  4. a reference/pointer to the user support service (for example: an email address, a web page, a web form, etc)
  5. a reference/pointer to the page about the processing of personal data as indicated by <mdui:PrivacyStatementURL> (SP-MD06), if possible, referenced with the same URL.

[TOP]

SP-FED03 - Web page about the processing of personal data

A Web page about the processing of personal data MUST contains all the information required as per articles 13 and 14 of the Regulation (EU) 2016/679.

It is strongly suggested to use REFEDS guidelines for Service Provider:

https://wiki.refeds.org/display/CODE/Privacy+policy+guidelines+for+Service+Providers

[TOP]

SP-FED04 - Login Page / Discovery Service

The access page to a federated resource in IDEM MUST contain:

  • the list of eligible IdP coming from IDEM Federation and eduGAIN;
  • a reference/pointer to the page about the Information to the users (SP-MD05)

It is strongly suggested to follow REFEDS Best Practices when implementing federated access to a resource: https://discovery.refeds.org/

[TOP]

SP-FED05 - Requirements for Certificates used in Metadata

Certificates included in Metadata of the entity MUST obey the following requirements:

  • long-term validity (expiration in 30 years);
  • self-signed;
  • be valid, not yet expired;
  • exclude the usage of signing algorithms based on deprecated hashing methods MD5 o SHA1
  • use a private key of at least 3072 bit

In any case, Private Key MUST NOT be less than 2048 bit.

[TOP]

Example of Service Provider Metadata

<md:EntityDescriptor entityID="https://sp.example.com/shibboleth"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:Extensions>
         <init:RequestInitiator
            xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
            Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
            Location="https://sp.example.com/Shibboleth.sso/Login" />
         <idpdisc:DiscoveryResponse
            xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            Location="https://sp.example.com/Shibboleth.sso/DS" index="1" />
         <mdui:UIInfo>
            <mdui:DisplayName xml:lang="en">ENG DISPLAY NAME</mdui:DisplayName>
            <mdui:DisplayName xml:lang="it">ITA DISPLAY NAME</mdui:DisplayName>
            <mdui:Description xml:lang="en">ENG DESCRIPTION</mdui:Description>
            <mdui:Description xml:lang="it">ITA DESCRIPTION</mdui:Description>
            <mdui:InformationURL xml:lang="en">HTTPS ENG INFORMATION PAGE URL</mdui:InformationURL>
            <mdui:InformationURL xml:lang="it">HTTPS ITA INFORMATION PAGE URL</mdui:InformationURL>
            <mdui:Logo height="64" width="64">HTTPS RESOURCE LOGO PNG</mdui:Logo>
            <mdui:PrivacyStatementURL xml:lang="en">HTTPS ENG PRIVACY POLICY PAGE URL</mdui:PrivacyStatementURL>
            <mdui:PrivacyStatementURL xml:lang="it">HTTPS ITA PRIVACY POLICY PAGE URL</mdui:PrivacyStatementURL>
         </mdui:UIInfo>
      </md:Extensions>
      <md:KeyDescriptor>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>
                  MII...
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:SingleLogoutService
         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         Location="https://sp.example.com/Shibboleth.sso/SLO/Redirect" />
      <md:SingleLogoutService
         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         Location="https://sp.example.com/Shibboleth.sso/SLO/POST" />
      <md:AssertionConsumerService
         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         Location="https://sp.example.com/Shibboleth.sso/SAML2/POST"
         index="1" />
      <md:AttributeConsumingService index="1">
         <!-- example for the required attribute: mail -->
         <md:RequestedAttribute FriendlyName="mail"
            Name="urn:oid:0.9.2342.19200300.100.1.3"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            isRequired="true" />
         <!-- example for the desired attribute: eduPersonPrincipalName -->
         <md:RequestedAttribute FriendlyName="eppn"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            isRequired="false" />
      </md:AttributeConsumingService>
   </md:SPSSODescriptor>
   <md:Organization>
      <md:OrganizationName xml:lang="en">ENG ORGANIZATION NAME</md:OrganizationName>
      <md:OrganizationName xml:lang="it">ITA ORGANIZATION NAME</md:OrganizationName>
      <md:OrganizationDisplayName xml:lang="en">ENG ORGANIZATION DISPLAY NAME</md:OrganizationDisplayName>
      <md:OrganizationDisplayName xml:lang="it">ITA ORGANIZATION DISPLAY NAME</md:OrganizationDisplayName>
      <md:OrganizationURL xml:lang="en">ENG ORGANIZATION URL</md:OrganizationURL>
      <md:OrganizationURL xml:lang="it">ITA ORGANIZATION URL</md:OrganizationURL>
   </md:Organization>
   <md:ContactPerson contactType="technical">
      <md:EmailAddress>mailto:technical.contact.mailing.list@example.org</md:EmailAddress>
   </md:ContactPerson> 
</md:EntityDescriptor>

[TOP]

References:

[RFC 2119] Key words for use in RFCs to Indicate Requirement Levels

http://www.rfc-editor.org/rfc/rfc2119.txt

[IDEM-META] IDEM METADATA PROFILE v1.0

https://wiki.idem.garr.it/w/images/8/81/IDEM_METADATA_PROFILE_V1.1-ita-eng.pdf

[SAML2Core] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

[SAML2Bind] Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

[SAML2Meta] Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0

http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

[SAML2MDIOP] SAML V2.0 Metadata Interoperability Profile Version 1.0

http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-os.pdf

[SAML2Int] SAML V2.0 Deployment Profile for Federation Interoperability

https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

[REFEDS-DISCO] REFEDS - Discovery Best Practice

https://wiki.refeds.org/display/FBP/Discovery+Best+Practice

[TOP]

Estratto da "https://wiki.idem.garr.it/w/index.php?title=Technical_Profile&oldid=12980"