You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

ACOnet publishes several SAML Metadata documents, some of which are documented below. All use of SAML Metadata published by ACOnet requires verification of the cryptographic signature (XMLDsig) on that metadata against the published Metadata Signing Key. Trust in any information contained in SAML Metadata published by ACOnet should only be derived from a valid signature with that key, not e.g. based on the URL the metadata is downloaded from.

If your services are still using a legacy Metadata URL from https://wayf.aco.net/... please update the URL to one of those described below.

Service Providers only providing services to ACOnet participants (i.e., services that do not have users outside eduID.at member institutions) can use this limited Metadata document, which only contains entities registered with ACOnet. I.e., Identity Providers accounted for by formal ACOnet Identity Federation members who are bound by the ACOnet Identity Federation Policy:

Entities registered with ACOnet

http://eduid.at/md/aconet-registered.xml

All other Federation members will want to make use of the Interfederation-enabled Metadata document, which contains all eduID.at member institutions as well as any SAML entities known via Interfederation agreements, such as eduGAIN. Those interfederated entities are bound by the policies of their respective Registrars or Home Federations.

Entities registered with ACOnet plus Interfederation Entities

http://eduid.at/md/aconet-interfed.xml

Federation members who should use this Metadata document include:

Metadata validity and refresh

Currently eduID.at Metadata is being signed daily (or more often) and validity (validUntil) is being set to +14 days in the future each time. That means consumers of this metadata will need to refresh (re-download and evaluate) eduID.at metadata at least every 14 days, which a correctly configured software will do automatically. (Note that this validity window may be shortened further in the future without prior notice.)

The example Metadata Filters in this set of documentation are using a maximum validity of 28 days, i.e., software configured that way would reject SAML metadata that (a) does not have any upper limit in its validity, and (b) where validity exceeds 28 days in the future.

Consumers of eduID.at Metadata (i.e., SAML IDPs and SPs and potentially SAML IDP Discovery Services) should refresh SAML metadata at least once a day, but preferrably more often. The example Metadata Providers in this documentation are set to a 2-hour refresh (i.e., re-downloading and evaluating the eduID.at SAML metadata 12 times a day), shortening the time it takes for the software to learn of new, changed or removed entities.

  • No labels