Cliquez ici pour la version française

Metadata Registration Practice Statement

History of changes

  • June 2013: initial version of the document,
  • September 2016: new version published to describe new metadata management practices.
  • September 2017: update of the new version published to describe new metadata management practices.

Common practices

All users connect to the federation registry web interface through HTTPS and authenticate first through their local IdP or at the default CRU accounts IdP. Data provided by an IdP or SP administrator, once validated, are stored in the federation registry database and allows to generate both the federation metadata and the inter-federation metadata.

An IdP/SP needs to be attached to a trusted organization which has achieved administrative registration. Administrative registration requires that a representative from that organization has signed the federation partner or member charter. Each trusted organization designates two federation contacts; these act as proxy for the organization. Member organization belong to the French Education & Research community; it can later registrer an Identity Provider and Service Providers with the Fédération Education-Recherche. Partner organization is any organization that wishes to operate a Service Provider within the Fédération Education-Recherche.

RENATER provides a Test federation that allows the SP/IdP administrators to perform tests before entering the production federation. Joining an inter-federation requires that the IdP/SP administrators requests it via the federation registry web interface; a confirmation is needed.

Metadata management

Federation metadata are updated automatically, based on a metadata template and SP/IdP descriptions from the federation registry backend.

Federation metadata files are updated every 30 minutes and get published as a preview version. RENATER also provides intermediate and main versions of production metadata files. The metadata versions management is described in a dedicated document.

Federation metadata files have a validity period of 9 days.

Before a federation metadata files gets published and signed, it goes through a serie of technical validation tests to prevent incorrect metadata files to be published.

Practices for Identity Provider registration and update

An Identity Provider registration request can be submitted by any user authenticated through one of the federation IdP or a CRU account. The user must select the member organization, the idP relates to. The registration request then requires approval by one of the organization's federation contact.

Criterias to validate an Identity Provider includes:

  1. checking the validity of provided URLs
  2. checking of the Identity Provider title
  3. checking the provided technical contacts email addresses
  4. checking the entityID format
  5. checking the scope(s) for the IdP

Once the IdP has been validated, its administrators get notified.

The IdP administrator can later update informations about the IdP, through the federation registry web interface. The update request also needs to be manually approved by federation operators if significant informations have been updated (entityID, attributes scope).

Practices for Service Providers registration and update

A Service Provider registration request can be submitted by any user authenticated through one of the federation IdP or a CRU account. The user must select the organization (member or partner) the SP relates to. The registration request then requires approval by one of the organization's federation contact.

Criteria to validate a Service Provider includes:

  1. checking the validity of provided URLs
  2. checking of the Service Provider title
  3. checking of the provided category of service and scope
  4. checking of the requested user attributes and usage
  5. checking of the declared country where the data is processed
  6. checking the provided technical contacts email addresses
  7. checking the entityID format

Once the SP has been validated, its administrators get notified.

The SP administrators can later update informations about the SP, through the federation registry web interface. The update request also needs to be manually approved by federation operators if significant informations have been updated (entityID, requested user attributes).