Customer Metadata Requirements
The requirements for service provider metadata for integrating with the Enterprise Authentication Service are below. The requirements provide a number of critical benefits including greatly reducing the time needed to configure the integration and allows service providers to be the owners of their own contact information.
|1||Metadata has encryption certificate||This enables SAML assertions to be encrypted within the SAML response.||Must have1||See https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAndNetworking#SecurityAndNetworking-SPSigningandBack-ChannelTLSKeysandCertificates|
|2||Metadata has signing certificate||This ensures that communicating entities can verify each other's identity programmatically.||Must have1||See https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAndNetworking#SecurityAndNetworking-SPEncryptionKeyandCertificate|
|3||Metadata passes schema validation||This ensures metadata interoperability as we process it and enables future extensibility for other metadata-managing services we may employ.||Must have||
Customer metadata must be schema-valid according to https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.
One way to validate is to use the XMLSecTool available at https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home.
|4||Metadata is signed||Provides additional security around the metadata source.||Nice to have||See https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness#MetadataCorrectness-SignatureVerification|
|5||Contacts and Organization||These contacts will be our source of contact information. This is how we will contact service owners regarding their SSO integration with Enterprise Authentication.||Must have||See https://wiki.shibboleth.net/confluence/display/CONCEPT/Metadata#Metadata-ContactsandOrganizations|
|6||Service Provider is part of a federation that we consume||This reduces the overhead of managing metadata. It also guarantees compliance with above requirements.||Nice to have||See https://www.incommon.org/federation/|
|7||Metadata requests attributes||This supports metadata-driven configuration||Future enhancement|
Metadata correctness guidelines and examples can be found at https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness.