eduID.cz metadata profile

SAML entities of eduID.cz members provide their metadata conforming to Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 and OASIS SAML V2.0 Metadata Interoperability Profile Version 1.0. In addition, their metadata must fulfill to the requirements specified in this document.

XML namespaces used

PrefixNamespace URL
mdurn:oasis:names:tc:SAML:2.0:metadata
mdrpiurn:oasis:names:tc:SAML:metadata:rpi
mduiurn:oasis:names:tc:SAML:metadata:ui
shibmdurn:mace:shibboleth:metadata:1.0

Common rules (both IdPs and SPs)

  1. the root element md:EntityDescriptor must contain the entityID attribute
    1. entityID must be defined as a URL with https scheme
    2. hostname in entityID URL must be a fully qualified domain name (IP address, „localhost“ and other reserved domain names according to RFC 2606 are not acceptable)
  2. endpoints
    1. must be defined as URLs with the https scheme
    2. their hostnames must be provided as fully qualified domain names
    3. the hostnames must be registered by the organization operating the pertinent Entity
  3. public keys of Entities
    1. should be provided as self-signed X.509 certificates (Note: eduID.cz stops publishing an EntityDescriptor as soon as the validity of any of its certificates becomes shorter than 30 days)
    2. should be RSA public keys with minimal length of 2048 bites
  4. element md:Organization
    1. Every md:EntityDescriptor must contain exactly one md:Organization element
    2. md:Organization describes organization operating the Entity, not project names, department names - for those use mdui elements
    3. md:Organization must contain element md:OrganizationName with the official name of the organization operating the Entity in English and in Czech, usage of abreviation is strongly unrecommended
    4. md:Organization must contain element md:OrganizationDisplayName with the commonly recognized name of the organization operating the Entity in English and in Czech, usage of abreviation and legal form is strongly unrecommended
    5. md:Organization must contain element md:OrganizationURL specifying the location with additional information about the organization operating the Entity in English and in Czech
  5. md:ContactPerson
    1. every md:EntityDescriptor must contain at least one element md::ContactPerson with contactType=„technical“ containing md:GivenName, md:SurName and md:EmailAddress refering to a technical contact person with a working email address
  6. Role Descriptors
    1. each md:IDPSSODescriptor, md:SPSSODescriptor, md:AttributeAuthorityDescriptor should contain md:Extensions with mdui:UIInfo containing at least the following elements:
      1. mdui:DisplayName with the display name of the entity in English and in Czech, usage of abreviation and legal form is strongly unrecommended
      2. mdui:Description with the description name of the entity in English and in Czech

Identity Providers

  1. md:IDPSSODescriptor
    1. must contain md:Extensions containing shibmd:Scope
      • the value of shibmd:Scope must be unique - preferably the main registered DNS domain of the organization operating the pertinent IdP
    2. at least one md:NameIDFormat
      • at least one md:NameIDFormat must be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      • at least one md:NameIDFormat should be urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, it is strogly advised to support persistent NameIDFormat
    3. must contain md:Extensions with mdui:UIInfo containing
      1. mdui:DisplayName with the commonly recognized name of the organization operating the Entity in English and in Czech
        • usage of abreviation is strongly unrecommended
        • usage of legal form is strongly unrecommended
        • if there are any organization units, they should be writen from most significant to less significant (ie. CESNET, Department of Standartization)
      2. mdui:Description with short description of the purpose of IdP in English and in Czech
      3. mdui:InformationURL with URL holding more informations about the IdP in English and in Czech, not about the organization running the IdP
      4. mdui:Logo with HTTPS (!) URL holding logo of the organization operating the Entity
        • English and Czech version of the logo is posible if needed
        • there should be at least one version of the logo disignated to WAYF/DS operated by eduID.cz with height 40px
      5. entity requesting to be republished into eduGAIN must provide those elements

Service Provider

  1. md:SPSSODescriptor
    1. must contain md:Extensions with mdui:UIInfo containing
      1. mdui:DisplayName with the display name of the entity in English and in Czech, ussage of abreviation and legal form is strongly unrecommended
      2. mdui:Description with the description of the entity in English and in Czech
        • this information might be used at an IdP to inform users about purpose of the SP
      3. mdui:InformationURL with URL holding more informations about the SP in English and in Czech, not about the organization running the SP
    2. each md:SPSSODescriptor should contain md:AttributeConsumingService that lists all attributes requested by this SP as md:RequestedAttribute element with isRequired=„true“ for required attributes and isRequired=„false“ for just usefull attributes