First, you must publish your own metadata on a URL accessible from the public internet. Note: within SURFconext, it is possible to send your metadata as a separate file directly to SURFconext, e.g. through email. However, for eduGAIN you MUST publish your metadata online.
SURFconext will publish your SP metadata in eduGAIN. It will make sure your metadata conforms to the eduGAIN Metadata Profile. To be able to do so, we impose some additional metadata requirements on SPs.
See also the SAML V2.0 Metadata Interoperability Profile.
Within SURFconext assertions are not encrypted. However, in eduGAIN, many IdPs will only release attributes to SPs that support encryption. For compatibility, therefore you SHOULD publish an encryption certificate in your metadata (or have a certificate that can be used both for signing and encryption). Most standard SP software can do this by default.
Your SP metadata MUST contain:
<md:Organization>
with values in English and as appropriate also values in the service's native languages for the elements<md:OrganizationName>
<md:OrganizationDisplayName>
<md:OrganizationURL>
<md:ContactPerson>
with contactType="technical" and contactType="support".If present, <md:EmailAddress>
SHOULD not be a personal address but a role address to get in contact with the entity's responsible persons.
Please note! Each email address in your metadata must contain the "mailto:" prefix. |
RegistrationInfo
extension tag with a registrationAuthority
. SURFconext will set this upon publication.<md:SPSSODescriptor>
SHOULD contain the elements:
<mdui:DisplayName>
with a value in English and as appropriate also values in the languages supported by the service<mdui:Description>
with a value in English and as appropriate also values in the languages supported by the service<mdui:Logo>
with your service's logo hosted on a https location.We strongly recommend to comply with the Sirtfi extension which means you assert that you can handle security incidents properly and that you provide a contact point for these issues. There's an instruction on the REFEDS wiki of what to do.
We strongly recommend to comply with the eduGAIN Code of Conduct by indicating so in your metadata. It will certainly make the connection process for international IdP's more smooth. This should normally not be a problem because the requirements of the SURFconext Connection Agreement are at least as strict as those of CoCo. See Signing the REFEDS Data Protection Code of Conduct for how to do this.
You can use this eduGAIN metadata template as an example.
Next, please contact support@surfconext.nl and send them your metadata URL. SURFconext will (re)publish your metadata to the eduGAIN feed.
After this step, you can continue to Consume metadata.