This site requires JavaScript to be enabled
Welcome Guest|
Recent searches
IE BUMPER

Customer Metadata Requirements

Number of views : 0
Article Number : KB0017671
Published on : 2021-09-09
Last modified : 2021-09-09 14:34:34
Knowledge Base : IT Public Self Help

The requirements for service provider metadata for integrating with the Enterprise Authentication Service are below. The requirements provide a number of critical benefits including greatly reducing the time needed to configure the integration and allows service providers to be the owners of their own contact information.


# Title User Story Importance Notes
1 Metadata has encryption certificate This enables SAML assertions to be encrypted within the SAML response. Must have1 See SP Signing and Back-Channel TLS Keys and Certificates on https://shibboleth.atlassian.net/wiki/spaces/IDP30/pages/2495381844/SecurityAndNetworking#SecurityAndNetworking-SPSigningandBack-ChannelTLSKeysandCertificates
2 Metadata has signing certificate This ensures that communicating entities can verify each other's identity programmatically. Must have1 See SP Encryption Key and Certificate on https://shibboleth.atlassian.net/wiki/spaces/IDP30/pages/2495381844/SecurityAndNetworking#SecurityAndNetworking-SPEncryptionKeyandCertificate
3 Metadata passes schema validation This ensures metadata interoperability as we process it and enables future extensibility for other metadata-managing services we may employ. Must have

Customer metadata must be schema-valid according to https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.

One way to validate is to use the XMLSecTool available at https://shibboleth.atlassian.net/wiki/spaces/XSTJ3/overview.

4 Metadata is signed Provides additional security around the metadata source. Nice to have See Signature Verification on https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness#MetadataCorrectness-SignatureVerification
5 Contacts and Organization These contacts will be our source of contact information. This is how we will contact service owners regarding their SSO integration with Enterprise Authentication. Must have See Contacts and Organizations on https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645459/Metadata#Metadata-ContactsandOrganizations
6 Service Provider is part of a federation that we consume This reduces the overhead of managing metadata. It also guarantees compliance with above requirements. Nice to have See https://www.incommon.org/federation/
7 Metadata requests attributes This supports metadata-driven configuration Future enhancement


Metadata correctness guidelines and examples can be found at https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness.


Footnotes

1: Some SAML SPs use the same certificates for signing and encryption. This is not uncommon and allowable in the SAML specification. Of those SPs, some combine both certificates into the same element in their metadata. This is also valid per the specification and does meet the Customer Metadata Requirements. Please refer to Encryption KeyDescriptor Type on https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/948470554/SAMLKeysAndCertificates#SAMLKeysAndCertificates-EncryptionKeyDescriptorType for more information.

Thank You! Your feedback has been submitted.

Feedback