Federation Operator Practice: Metadata Registration Practice Statement

Similar documents
Federation Operator Practice: Metadata Registration Practice Statement

Federation Operator Practice: Metadata Registration Practice Statement

edugain Policy Framework SAML Profile

Request for Comments: ISSN: S. Cantor Shibboleth Consortium August 2018

GrIDP: Grid IDentity Pool Federation

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Rowing Canada Aviron. Online Registration System - Protection of Personal Privacy. Policy Statement

VSC-PCTS2003 TEST SUITE TIME-LIMITED LICENSE AGREEMENT

REGISTRAR CODE OF PRACTICE

SELF SERVICE INTERFACE CODE OF CONNECTION

TECHNICAL GUIDE SSO SAML Azure AD

Hong Kong Access Federation (HKAF) Identity Provider Management Standard Version 1.0

Oracle Utilities Opower Solution Extension Partner SSO

Identity Federation Requirements

BELNET R&E federation Technical policy

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

Administration of PEFC scheme

Implementation profile for using OASIS DSS in Central Signing services

Registrar Code of Practice

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

SAML V2.0 EAP GSS SSO Profile Version 1.0

In this policy, whenever you see the words we, us, our, it refers to Ashby Concert Band Registered Charity Number

Privacy Policy. LAST UPDATED: 23 June March 2017

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

PayThankYou LLC Privacy Policy

Domain Names & Hosting

Privacy and WHOIS Data Policy

We reserve the right to modify this Privacy Policy at any time without prior notice.

Oracle Insurance Policy Administration Configuration of SAML 1.1 Between OIPA and OIDC

GÉANT Data Protection Code of Conduct SAML 2.0 profile

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Request for Comments: 5397 Category: Standards Track December 2008

WebDAV Current Principal Extension

Deployment Profile Template Version 1.0 for WS-Reliability 1.1

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

OIML-CS PD-05 Edition 2

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Video Services Forum Rules of Procedure

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence Detailed Version

Draft ETSI EN V1.0.0 ( )

Schedule Identity Services

Grid Security Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Create Institutional Membership

3. Available Membership Categories and the associated services and benefits are published on the BMF website.

National Identity Exchange Federation. Terminology Reference. Version 1.0

Lightweight Machine to Machine Architecture

Internet Engineering Task Force (IETF) Category: Standards Track March 2011 ISSN:

South Hams Motor Club Our Privacy Policy. How do we collect information from you? What type of information is collected from you?

Digital Capability Locator Implementation Guide

Internet Streaming Media Alliance Ultravox Provisional Specification Version 1.0 November 2007

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Domain Hosting Terms and Conditions

Recommendations for Use of Personal Data

UWC International Data Protection Policy

Metadata for SAML 1.0 Web Browser Profiles

Conjure Network LLC Privacy Policy

SAML2 Metadata Exchange & Tagging

Level of Assurance Authentication Context Profiles for SAML 2.0

ING PUBLIC KEY INFRASTRUCTURE CODE OF CONDUCT FOR EMPLOYEE CERTIFICATES. Version November ING PKI Service

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Request for Comments: 3764 Category: Standards Track April enumservice registration for Session Initiation Protocol (SIP) Addresses-of-Record

Policy. London School of Economics & Political Science. Network Connection IMT. Jethro Perkins. Information Security Manager. Version 1.

ETSY.COM - PRIVACY POLICY

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

KMIP Opaque Managed Object Store Profile Version 1.0

TechTarget, Inc. Privacy Policy

ALGORITHMIC TRADING AND ORDER ROUTING SERVICES POLICY

Wireless Innovation Forum Contribution

ADGM Companies Regulations Registrar s General Rules And Powers: Guidelines (April 2015)

OpenOffice Specification Sample

TIA. Privacy Policy and Cookie Policy 5/25/18

Federated Authentication for E-Infrastructures

Guidelines for "Certificate of Security Handling during Information Exchange via EDI"

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Technical Trust Policy

.CAM Registry. GDPR integration. Version nd May CAM AC Webconnecting Holding B.V. Beurs plein AA Rotterdam

eidas Interoperability Architecture Version November 2015

This document is a preview generated by EVS

KMIP Storage Array with Self-Encrypting Drives Profile Version 1.0

Apple Inc. Certification Authority Certification Practice Statement

Request for Comments: 3861 Category: Standards Track August 2004

Polarr, Inc. ("us", "we", or "our") operates the Polarr Photo Editor mobile and desktop application (the "Service").

Data Access Policy ... WE ARE SUPPORTED BY THE UNIVERSITY OF ESSEX, THE ECONOMIC AND SOCIAL RESEARCH COUNCIL, AND JISC

Kerberos SAML Profiles

Security Guide Release 4.0

Completion instructions 1 (7) Application for message exchange with Finnish Customs

Category: Standards Track September MIB Textual Conventions for Uniform Resource Identifiers (URIs)

EU-US PRIVACY SHIELD POLICY (Updated April 11, 2018)

ACCEPTABLE USE POLICY

Internet Engineering Task Force (IETF) Updates: 5451 March 2012 Category: Standards Track ISSN:

Terms and Conditions

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

Privacy Shield Policy

Oracle Utilities Opower Custom URL Configuration

Please let us know if you have any questions regarding this Policy either by to or by telephone

Apple Inc. Certification Authority Certification Practice Statement

Transcription:

eduid Luxembourg Federation Operator Practice: Metadata Registration Practice Statement Authors S. Winter Publication Date 2015-09-08 Version 1.0 License This template document is license under Creative Commons CC BY 3.0. You are free to share, re-use and adapt this template as long as attribution is given. This document draws heavily on work carried by the UK Access Management Federation and ACOnet in the development of their Metadata Registration Practice Statements.

Table of Contents 1. Definitions and Terminology... 3 2. Introduction and Applicability... 3 3. Member Eligibility and Ownership... 3 4. Entity Management... 4 Entity Change Requests... 4 Unsolicited Entity Changes... 4 5. Technology Profile SAML 2.0... 4 Canonical Name and <OrganizationName>... 4 SAML 2.0 Entity Validation... 4 Permitted content and formats of <EntityID>... 4 SAML 2.0 Metadata Validation... 5 6. References... 5

1. Definitions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. The following definitions are used in this document: Federation Federation Member Federation Operator Federation Policy Entity Registered Representatives Identity Federation. An association of organisations that come together to securely exchange information as appropriate about their users and resources to enable collaborations and transactions. An organisation that has joined the Federation by agreeing to be bound by the Federation Policy in writing. Organisation providing the infrastructure for Authentication and Authorisation to Federation Members. A document describing the obligations, rights and expectations of the federation members and the federation Operator. A discrete component that a member wishes to register and describe in metadata. This is typically an Identity Provider or Service Provider. Individuals authorised to act on behalf of the member. These may take on different roles with different rights attached to them. 2. Introduction and Applicability This document describes the metadata registration practices of the Federation Operator with effect from the publication date shown on the cover sheet. All new entity registrations performed on or after that date SHALL be processed as described here until the document is superseded. This document SHALL be published on the Federation website at: http://www.eduid.lu (section eduid.lu Policy ). 3. Member Eligibility and Ownership The procedure for becoming a member of the Federation is documented at: http://www.eduid.lu (Section Joining eduid.lu ). The membership process verifies that the prospective member has legal capacity, and requires that all members enter into a contractual relationship with the Federation Operator by agreeing to the Federation policy. The membership process also identifies and verifies Registered Representatives, who are permitted to act on behalf of the organisation in dealings with the Federation Operator. Verification is achieved by personal contact between the Federation Operator and the organization; exceptionally via email or phone. The process also establishes a canonical name for the Federation member. The canonical name of a member MAY change during the membership period, for example as a result of corporate name changes or mergers.

4. Entity Management Once a member has joined the Federation, the member MAY add any number of entities. Entity Change Requests Any request for entity addition, change or removal from Federation members needs to be communicated from or confirmed by their respective Registered Representatives. Communication of change happens via e-mail. Unsolicited Entity Changes The Federation Operator may amend or modify the Federation metadata at any time in order to: Ensure the security and integrity of the metadata; Comply with interfederation agreements; Improve interoperability; Add value to the metadata. Registered Representatives of the affected entity can observe changes by inspection of the published federation metadata. For technology profiles which do not lead to public disclosure of metadata, the Federation Operator will inform the affected entity of the change. 5. Metadata for Technology Profile SAML 2.0 SAML Metadata for all entities registered by the Federation Operator SHALL make use of the [SAML-Metadata-RPI-V1.0] metadata extension to indicate that the Federation Operator is the registrar for the entity and to detail the version of the MRPS statement that applies to the entity. The following is a non-normative example: <mdrpi:registrationinfo registrationauthority="http://eduid.lu" registrationinstant="2016-11-29t13:39:41z"> <mdrpi:registrationpolicy xml:lang="en"> http://eduid.lu/ /media/eduid-mrps-02.pdf</mdrpi:registrationpolicy> </mdrpi:registrationinfo> Canonical Name and <OrganizationName> The member s canonical name is disclosed in the entity s <OrganizationName> element. SAML 2.0 Entity Validation The following elements of entity metadata are validated: Permitted content and formats of <EntityID> The Federation Operator SHALL verify the member s right to use particular domain names in relation to <entityid> attributes.

The right to use a domain name SHALL be established in one of the following ways: A member s canonical name matches registrant information shown in DNS. A member MAY be granted the right to make use of a specific domain name through a permission letter from the domain owner on a per-entity basis. Permission SHALL NOT be regarded as including permission for the use of sub-domains. Values of the entityid attribute registered MUST be an absolute URI using the http, https or urn schemes. https-scheme URIs are RECOMMENDED to all members. http-scheme and https-scheme URIs used for entityid values MUST contain a host part whose value is a DNS domain which the entity has a right to use (as defined above). SAML 2.0 Metadata Validation On entity registration, the Federation Operator SHALL carry out entity validations checks. These checks include: Ensuring all required information is present in the metadata; Ensuring metadata is correctly formatted; Ensuring URLs specified in the metadata are technically reachable; Ensuring protocol endpoints are properly protected with TLS / SSL certificates. 6. References [RFC2119] [SAML-Metadata-RPI-V1.0] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0. 03 April 2012. OASIS Committee Specification 01. http://docs.oasisopen.org/security/saml/post2.0/saml-metadatarpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback