The information on this page has been superseded and should be regarded as historical. For most purposes, you should use the current edition of this document instead.
1 Introduction
This document specifies the detailed technical architecture of the UK Access Management Federation for Education and Research (the UK federation).
Familiarity with this document is not normally required for individual deployments; its primary audiences are developers of federation software and operators of partner federations. A companion document, the Technical Recommendations for Participants ([UKTRP]), provides specific technical recommendations for members of the federation based on these specifications.
1.1 Keeping Up To Date
Due to the rapidly changing nature of the software and standards associated with identity technologies, it will be necessary to update this document from time to time to reflect new developments. The latest version of this document can always be found on the federation web site (see [UKFTS]); federation members should review the latest version of this document periodically, and in any case whenever a new deployment is contemplated.
New editions of this and other federation technical documents, as well as other announcements thought to be relevant to federation members, are reported on the federation mailing list. The technical and administrative contacts listed for all entities registered with the UK federation are made members of the mailing list automatically; other addresses can be added to the list by request.
1.2 Document Status
This edition describes the UK federation with effect from its date of publication as shown on the cover page.
1.3 Notation
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
Conventional XML namespace prefixes are used throughout this document to stand for their respective namespaces as follows:
| Prefix | XML Namespace | Defined in |
|---|---|---|
ds: |
http://www.w3.org/2000/09/xmldsig# |
[XMLSig] |
elab: |
http://eduserv.org.uk/labels |
This document. |
idpdisc: |
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol |
[IdPDisco] |
md: |
urn:oasis:names:tc:SAML:2.0:metadata |
[SAML2Meta] |
mdattr: |
urn:oasis:names:tc:SAML:metadata:attribute |
[MetaAttr] |
mdrpi: |
urn:oasis:names:tc:SAML:metadata:rpi |
[SAML-Metadata-RPI-V1.0] |
mdui: |
urn:oasis:names:tc:SAML:metadata:ui |
[SAML-Metadata-UI-V1.0] |
saml2: |
urn:oasis:names:tc:SAML:2.0:assertion |
[SAML2Core] |
saml2p: |
urn:oasis:names:tc:SAML:2.0:protocol |
[SAML2Core] |
shibmd: |
urn:mace:shibboleth:metadata:1.0 |
[ShibMetaExt] |
ukfedlabel: |
http://ukfederation.org.uk/2006/11/label |
This document. |
wayf: |
http://sdss.ac.uk/2006/06/WAYF |
This document. |
This document uses the following typographical conventions in text:
-
<prefix:XMLElement>to signify an XML element. If the prefix is omitted, “md:” can be assumed. -
XMLAttributeto signify an XML attribute. Attributes accompanied by values are written asXMLAttribute="value".
1.4 Changes in this Edition
-
Section 2 on the UK federation’s trust fabric now reflects the changes introduced during the trust fabric evolution performed during 2013 and early 2014: the direct key scheme is now REQUIRED for all entities; use of the PKIX scheme has been discontinued.
-
Updated section 2.2.1 (Transition to non-PKIX Trust Fabric) to reflect the completion of this transition.
-
Updated section 2.2.2 to indicate that the transition to stronger RSA keys has been completed. Added corresponding requirements for public key size and RSA public exponent value for embedded key material to section 3.10.
-
Removed the table of
registrationAuthorityvalues in section 3.2.2 in favour of a link to the eduGAIN status page. -
Widened the section 3.10 requirement for embedded key material within
<KeyDescriptor>elements to include SAML 1.1 as well as SAML 2.0 roles. Indicate that the use of<ds:KeyName>elements has been discontinued. -
Removed coverage of the
<elab:AthensPUIDAuthority>element, which is no longer included in published aggregates as of 2013-09-02. -
Moved the description of the export aggregate from section 4.5 (Future Directions) into section 4.2 (Service Interface). Added the new export preview aggregate.
-
Introduced a new section 4.4.2 describing the signature profiles used for UK federation metadata aggregates.
-
Removed MD5 certificate fingerprints, and added a new fingerprint for the signing certificate which will be introduced in November 2014. Indicated that we do not expect to recertify the signing key again in the near future.
-
In section 4.5.3 (Aggregate Structure), de-emphasised the possibility of a short-term transition to hierarchical aggregates, as a result of the widespread failure to implement this part of the SAML metadata standard correctly.
-
Revised the links for [eduPerson12], [ICSAML2], [MDQuery], [UKFTS], [UKPROC], [UKROM], [UKTRP].
-
Added a reference to [MDQuerySAML].
1.5 Future Directions
Where appropriate, major sections of this document contain a sub-section called “Future Directions” describing likely future developments in the area under consideration. These notes are provided to allow members to incorporate this information into planning activities.