This page presents the requirements from the reference specification fulfilled by GEANT IdPaaS proof of concept. The page can be used as a reference for those that plan to build an IdP PaaS solution. Please note that this work informed the IdP PaaS Reference Design documentation.
Content:
The platform must provide a function to create a new IdP, which results in an deployed IdP configured based on user input.
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| IC1 | Accept user input | The platform MUST accept user input for IdP configuration for all values defined as configurable in section IdP requirements | |
| IC2 | Unique entity ID | A new entity ID MUST NOT already exist in eduGAIN, nor in any national federation | |
| IC3 | Non-reusable entity ID | A new entity ID MUST NOT be equal to one issued previously by this platform |
The platform must provide a function to delete an existing IdP to delete a formerly created IdP entirely.
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| ID1 | Complete deletion | It MUST be possible to delete an IdP and non-technical data upon request. This includes at least:
| |
| ID2 | Delayed deletion | Once deletion is triggered the IdP MUST be deactivated, but MUST NOT be deleted for a retention period of three months. | |
| ID3 | Delete notification | The administrator and technical contacts of an IdP MUST be notified immediately once deletion is requested. | |
| ID4 | IdP recovery | The administrator MUST be able to recover and reactivate an IdP within the retention period. |
The platform must provide a function to alter the configuration of an existing IdP without loss of user data.
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| IM1 | Edit configuration | Administrators MUST be able to change the IdP configuration for all values defined as configurable in section IdP requirements |
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| SP1 | Add and configure SPs | It MUST be possible to configure entities to be read from metadata | |
| SP2 | Attribute release policy | There MUST be an option to configure attributes released for
|
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| UM1 | Local user management | The solution MUST include a local user management to create, update and delete identities. | |
| UM2 | Remote user management | The solution MUST be capable to use identities from an existing user database at a remote location. |
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| AA1 | 2FA authentication | The access to the management interface MUST require at least a second factor. | |
| AA2 | Account recovery | The software SHOULD NOT offer a self service to recover administrative accounts. |
| ID | Requirement | Description | samlidp.io |
|---|---|---|---|
| SD1 | Operational documentation | The deployment MUST be sufficiently documented so that it can be performed easily and independently. | |
| SD2 | Automatic deployment | Deploying the software itself SHOULD be automated. |
The following requirements apply to the hosted IdP itself.
This category defines requirements for the authentication performed by the IdP.
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| AU1 | Handle SAML authentication | The IdP MUST be able to handle SAML2 authentication | No | |
| AU2 | Common standards | IdP MUST adhere to saml2int, and relevant eduGAIN profiles | No | |
| AU3 | No SAML1 | IdP MUST NOT be able to handle SAML1 authentication | No | |
| AU4 | Identifier support | The IdP MUST support the following identifier types:
| No | |
| AU5 | eduPerson support | The IdP MUST support the following eduPerson attributes:
| No | |
| AU6 | SCHAC support | The IdP MUST support the following SCHAC attributes:
| No | |
| AU7 | eduMember support | The IdP MUST support the following eduMember attributes:
| No | |
| AU8 | Force Authn | The IdP MUST support SAML Force authentication | No | |
| AU9 | SSO session time | The IdP MUST support SSO, session time must be configurable | Yes | |
| AU10 | Authentication Context | The IdP MUST support providing LoA information through Authentication Class Context ref | No |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| CH1 | Local Credential Source | The IdP MUST allow for credentials to be provided locally | Yes | |
| CH2 | Passwords | The IdP MUST support use of passwords for authentication | No | |
| CH3 | Encryption | All locally stored and or cached personal data of end users MUST be stored encrypted where the encryption key is the SHA256 over the password or tokenid | No |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| AR1 | R&E Entity categories | The IdP MUST be able to use commonly used categories like R&S and SIRTFI to be used as filter for attribute release policy | Yes | |
| AR2 | SP metadata attributes | The product MUST support release of attributes based on SP metadata requirements | Yes | |
AR3 | Per SP attributes | The product MUST support release of attributes based on per SP basis (configured manually) | Yes | |
| AR4 | Attribute value filtering | The product MAY support filtering of attribute values (e.g. for affiliation) on a per SP basis | No |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| UM1 | Local GUI | A local per customer GUI MUST be provided to manage users in the local user store if so configured | Yes | |
| UM2 | Local GUI AuthN | Authentication for the a local GUI MUST NOT use any of the IdPs on the platform | No | |
| UM3 | Local Password reset | A password reset function MUST be provided for users based on the email stored in the local store | Yes |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| MP1 | Publish SAML metadata | The product MUST publish SAML metadata for the entity | No | |
| MP2 | R&E Entity categories | The product MUST allow publishing of specific entity categories:
| Yes |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| MC1 | Consume entity XML metadata | The product MUST allow importing an entity XML | Yes | |
| MC2 | Consume entity metadata through URL | The product MUST allow importing URL based metadata | Yes | |
| MC3 | Consume entities metadata through MDQ | The IdP MUST be able to consume metadata via MDQ | Yes |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| LO1 | Transaction logging | The product MUST support logging authN transaction in a separate log | No | |
| LO2 | Error logging | The product MUST support logging errors in a separate log | Yes | |
| LO3 | Log persistence | Logs MUST be deleted automatically after a given time. Time must be configured on a per log basis. | No | |
| LO4 | Log retrieval | Logs MUST be downloadable by an appropriate admin | No | |
| LO5 | Secure logs | Platform admin MUST NOT have access to user data | No |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| ST1 | Per SP transactions | The IdP MUST provide transactions per SP over a given period of time (day/month/week/year) | No | |
| ST2 | Transaction Aggregates | The IdP must provide aggregated transactions over a given period (day/month/week/year) | No | |
| ST3 | Fticks ready | Product SHOULD preconfigure IdP with Fticks support | Yes |
| ID | Requirement | Description | Configurable | samlidp.io |
|---|---|---|---|---|
| BC1 | IdP displayname | IdP MUST have a multi language displayname | Yes | |
| BC2 | Logo | IdP MUST have a logo | Yes | |
| BC3 | Admin contact | IdP MUST have an administrative contact | Yes | |
| BC4 | Tech contact | IdP MUST have an technical contact | Yes | |
| BC5 | Support contact | IdP MUST have an end user support contact | Yes | |
| BC6 | Security contact | IdP MAY have a security support contact | Yes |