Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: remove legacy feed

ACOnet publishes several SAML 2.0 Metadata documents, some of which are documented below. All

Note
iconfalse
titleSignature Validation required for any Metadata consumption

All use of SAML Metadata published by ACOnet requires verification of the cryptographic signature (

...

xmldsig) on that metadata against the published Metadata Signing Key. Trust in any information contained in SAML Metadata published by ACOnet should only be derived from a valid signature with that key, not based on the URL the metadata is downloaded from.

Production

Service Providers only providing services to ACOnet participants can use this limited Metadata document, which only contains entities registered with ACOnet (i.e., those accounted for by formal ACOnet Identity Federation members who are bound by the ACOnet Identity Federation Policy):

...

  • Service Providers registering individually with every Identity Federation, such as internationally acting e-resource providers
  • Service Providers which (by the "nature" of their service; e.g. target market or legal status) are limited to subjects from eduID.at member institutions.

...


All other Federation members will want to make use of the Interfederation-enabled Metadata document, which contains all eduID.at member institutions as well as any SAML entities known via Interfederation agreements, such as eduGAIN. Those interfederated entities are bound by the policies of their respective Registrars or Home Federations.

...

Currently eduID.at Metadata is being signed daily (or more often) and validity (validUntil) is being set to +14 days in the future each time. That means consumers of this metadata will need to refresh (re-download and evaluate signature) eduID.at metadata at least every 14 days, which a correctly configured software should do automatically. (Note that this validity window may be shortened further in the future without prior notice.)

Consumers of eduID.at Metadata, i.e., SAML IDPs and SPs (and potentially SAML IDP Discovery Services) should refresh SAML eduID.at metadata at least once a day, but preferrably may do so more often. The example Metadata Providers in this documentation are set to a 4-hour refresh (i.e., re-downloading and evaluating the eduID.at SAML metadata 6 times a day – or less often if it can be established on the HTTP layer that the metadata hasn't changed on the HTTP layer, cf. conditional HTTP GET), shortening the time it takes for the software to learn of new, changed or removed entities.

...