UPDATE ......Confluence has now been updated to version 9.2.6. Please see following page for details and feedback about changes:
Updates
...
| Current Section of SAML Technical Profile | Purpose | References | OpenID Interpretation | Notes |
|---|---|---|---|---|
Overview | General overview of the document but framed in SAML language | Operational Practice Statement for SAML: Operational Practice Statement - SAML profile Metadata Aggregation Practice Statement for SAML: Metadata Aggregation Practice Statement eduGAIN Best Current Practice as a SHOULD (CoCo, Sirtfi, R&S). | ||
Metadata Registration Practice Statement | Information on expectations on how an entity can be registered into a federation metadata stream | Metadata Registration Practice Statement ShibMD for scope information | Current reliance on a non-machine readable document and we do not have any strong requirements over what is included, this is left to federations to describe local practice. Does this still meet objectives or is another approach required? Note it is only a template, not a set of standards / requirements. Current MRPS only speaks to SAML requirements. | |
SAML Metadata Production | Basic requirements on how federation metadata is formed and minimum standards for the metadata published by the federation | eduGAIN Metadata Aggregation Practice Statement md / mdui / mdrpi | Has some requirements for the overall federation metadata and also places some requirements on information about individual entities although the current focus is on information about the organisation and its identity. Would additional items (e.g. privacy notice, security contact) sit here? | |
SAML Metadata Signing | Requirements for metadata signing | SAML V2.0 Metadata Interoperability Profile Version 1.0 Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 eduGAIN Metadata Aggregation Practice Statement | ||
SAML Metadata Publication | Information on how metadata should be published back to entities by federations and how it should be consumed | |||
Participant Federation Requirements | Basic how of registering the metadata set | mdrpi for registrationauthority | ||
Adherence | Process for monitoring and addressing non-compliance with the requirements set out Series of BCP are mentioned here - this is probably not the best approach and has little in terms of incentives to enforce | eduGAIN Metadata Validator | What would this look like for OIDC? | |
Mandatory Entity Requirements | This does not currently exist but the suggestion of introducing a privacy statement and Sirtfi as mandatory requirements would require this to be added. Should this be part of the metadata production requirements or separate? Proposed new requirements for SAML Profile: https://refeds.org/metadata/contactType/security mdui:PrivacyStatementURL https://refeds.org/assurance (e.g. core conformance criteria for baseline only) | n/a | n/a |