This page aims to guide Federation Operators in supporting the adoption of the Sirtfi Framework.
Entity Attributes Filtering
The assertion of Sirtfi compliance for a Relying Party is expressed in metadata with the use of an Entity Attribute [1] as described in the OASIS documentation for asserting compliance with assurance profiles [2]. The validation strategy for local federation entity metadata might need to be reconsidered in order to allow local Entities to assert Sirtfi compliance. Additionally, if a federation has a filtering procedure in place while republishing eduGAIN metadata, federator operators need to ensure that their filtering strategy is adapted in order to facilitate the use of Sirtfi.
Two additions are necessary in the metadata of an entity asserting Sirtfi compliance so federation operators should focus on whitelisting/allowing the following :
Assurance-certification Entity Attribute
Sirtfi compliance is expressed with the use of the Entity Attribute “urn:oasis:names:tc:SAML:attribute:assurance-certification” holding the value https://refeds.org/sirtfi in an entity’s metadata as seen below:
<EntityDescriptor ...>
<Extensions>
<attr:EntityAttributes>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi
</saml:AttributeValue>
</saml:Attribute>
</attr:EntityAttributes>
</Extensions>
...
</EntityDescriptor>
Security Contact
A security contact element is added in every Entity that asserts Sirtfi compliance as seen below:
<ContactPerson xmlns:icmd="http://id.incommon.org/metadata"
contactType="other"
icmd:contactType="http://id.incommon.org/metadata/contactType/security">
<GivenName>Security Response Team</GivenName>
<EmailAddress>security@xxxxxxxxxxxxxxx</EmailAddress>
</ContactPerson>
Multiple EmailAddress tags may be defined, should an organisation wish to add both a generic email address and an individual.
[1] http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.html
[2] http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-assurance-profile.pdf
Metadata aggregates for Sirfti compliant entities
When republishing eduGAIN metadata for your local federation, it might be useful to provide filtered aggregates of the eduGAIN metadata to your participants, containing only the Relying Parties that have asserted compliance to Sirtfi. The following section provides detailed instructions on how this can be done with the use of pyFF Federation Feeder or Shibboleth Metadata Aggregator
pyFF Federation Feeder
The following example pyFF pipeline, loads the eduGAIN metadata from mds.edugain.org and after filtering out all Entities from the local federation and all Entities that do not assert Sirtfi compliance moves on to create three new metadata aggregates :
One that contains only the Identity Providers
One that contains only the Service Providers
One that contains both Identity and Service Providers
### Load eduGAIN Metadata ###
- load:
# Load from the eduGAIN Metadata URL
- http://mds.edugain.org/feed-sha256.xml as edugain-md certs/eduGAIN-signer-ca.pem
### Replace the value of '###YOUR-REG-AUTH###' with your registrationAuthority to exclude the entities of your federation. ###
- select:
- "edugain-md!//md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority and not(md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority='###YOUR-REG-AUTH###')]"
### Select only the Entities that assert Sirtfi Compliance
- select:
- "edugain-md!//md:EntityDescriptor[md:Extensions/mdattr:EntityAttributes/saml:Attribute/@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification' and md:Extensions/mdattr:EntityAttributes/saml:Attribute/saml:AttributeValue='https://refeds.org/sirtfi']"
### Fork to produce the Interfederation Identity Providers Metadata ### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" choosed for your interfederation metadata stream ###
- fork:
- select:
- "edugain-md!//md:EntityDescriptor[md:IDPSSODescriptor]"
- xslt:
stylesheet: tidy.xsl
- finalize:
Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
cacheDuration: PT5H
validUntil: P5D
- sign:
key: certs/sign.key
cert: certs/sign.crt
- publish:
- output/my-interfederation-idp-metadata.xml
### Fork to produce the Interfederation Service Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" choosed for your interfederation metadata stream ###
- fork:
- select:
- "edugain-md!//md:EntityDescriptor[md:SPSSODescriptor]"
- xslt:
stylesheet: tidy.xsl
- finalize:
Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
cacheDuration: PT5H
validUntil: P5D
- sign:
key: certs/sign.key
cert: certs/sign.crt
- publish:
- output/my-interfederation-sp-metadata.xml
### Produce the Interfederation Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" choosed for your interfederation metadata stream ###
- xslt:
stylesheet: tidy.xsl
- finalize:
Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
cacheDuration: PT5H
validUntil: P5D
- sign:
key: certs/sign.key
cert: certs/sign.crt
- publish:
- output/my-interfederation-metadata.xml
Shibboleth Metadata Aggregator
TBC