1 Introduction
This document specifies the detailed technical architecture of the UK Access Management Federation for Education and Research (the UK federation).
Familiarity with this document is not normally required for individual deployments; its primary audiences are developers of federation software and operators of partner federations. A companion document, the Technical Recommendations for Participants ([UKTRP]), provides specific technical recommendations for members of the federation based on these specifications.
1.1 Keeping Up To Date
Due to the rapidly changing nature of the software and standards associated with identity technologies, it will be necessary to update this document from time to time to reflect new developments. The latest version of this document can always be found on the federation web site (see [UKFTS]); federation members should review the latest version of this document periodically, and in any case whenever a new deployment is contemplated.
New editions of this and other federation technical documents, as well as other announcements thought to be relevant to federation members, are reported on the federation mailing list. The technical and administrative contacts listed for all entities registered with the UK federation are made members of the mailing list automatically; other addresses can be added to the list by request.
1.2 Document Status
This edition describes the UK federation with effect from its date of publication as shown on the cover page.
1.3 Notation
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
Conventional XML namespace prefixes are used throughout this document to stand for their respective namespaces as follows:
| Prefix | XML Namespace | Defined in |
|---|---|---|
ds: |
http://www.w3.org/2000/09/xmldsig# |
[XMLSig] |
idpdisc: |
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol |
[IdPDisco] |
md: |
urn:oasis:names:tc:SAML:2.0:metadata |
[SAML2Meta] |
mdattr: |
urn:oasis:names:tc:SAML:metadata:attribute |
[MetaAttr] |
mdrpi: |
urn:oasis:names:tc:SAML:metadata:rpi |
[SAML-Metadata-RPI-V1.0] |
mdui: |
urn:oasis:names:tc:SAML:metadata:ui |
[SAML-Metadata-UI-V1.0] |
saml2: |
urn:oasis:names:tc:SAML:2.0:assertion |
[SAML2Core] |
saml2p: |
urn:oasis:names:tc:SAML:2.0:protocol |
[SAML2Core] |
shibmd: |
urn:mace:shibboleth:metadata:1.0 |
[ShibMetaExt] |
ukfedlabel: |
http://ukfederation.org.uk/2006/11/label |
This document. |
This document uses the following typographical conventions in text:
-
<prefix:XMLElement>to signify an XML element. If the prefix is omitted, “md:” can be assumed. -
XMLAttributeto signify an XML attribute. Attributes accompanied by values are written asXMLAttribute="value".
The rationale behind certain technical decisions is called out in boxes like this.
Where appropriate, boxes like this are used to describe likely future developments in the area under consideration. These notes are provided to allow members to incorporate this information into planning activities.
If action is required by federation members in response to a change in this document, details are provided in boxes like this.
Details will normally include the action required and the date by which changes will need to be made.
1.4 Changes in this Edition
-
Updated the normative language above to modern standards, referencing both parts of BCP 14.
-
Changed section 3.5.1 (“
<shibmd:KeyAuthority>Element”) to document that the UK federation no longer uses the<shibmd:KeyAuthority>element in its aggregates. -
Updated Section 3.5.2 (“
<shibmd:Scope>Element”) to refer to the most recent version of the eduPerson specification. This is not a substantive change. -
Section 3.5.2 (“
<shibmd:Scope>Element”) deprecates and gives a timetable for future removal of the “triple scope” convention in UK federation metadata, in which a third copy of each<shibmd:Scope>element is currently provided at the “top level” within the<Extensions>of an identity provider’s<EntityDescriptor>.
In the unlikely event that your deployment relies on the “triple scope” convention in UK federation metadata, you must act before 2021-11-01 to avoid issues when this transition occurs.
See section 3.5.2 for full details.
-
The coverage of
<shibmd:Scope>elements withregexp="true"in section 3.5.2 (“<shibmd:Scope>Element”) has been updated to describe the UK federation’s current approach. This is much more liberal than described in the previous edition, while still disallowing arbitrary regular expressions on safety grounds. -
Section 3.6.1 (“UK Federation Member Label”) deprecates and gives a timetable for future removal of the
<ukfedlabel:UKFederationMember>element in UK federation metadata.
In the unlikely event that your deployment relies on the
<ukfedlabel:UKFederationMember> element in UK federation metadata, you must
act before 2021-11-01 to avoid issues when this transition occurs.
See section 3.6.1 for full details.
-
Section 3.6.2 (“Accountable Users Label”) now indicates that we expect at some time in the future to replace the
<ukfedlabel:AccountableUsers>extension by an entity category. -
Changed section 3.7 (“SDSS Federation WAYF Namespace”) to document that the UK federation no longer uses the
wayfnamespace. -
Section 4 (“Metadata Publication Service”) has been reorganised to allow the introduction of new material.
-
Replaced references to [RFC2616] in section 4 (“Metadata Publication Service”) with references to the replacement HTTP/1.1 RFC series (RFCs 7230–35).
-
Changed section 4.1 (“Service Implementation”) to describe the new federation infrastructure:
-
Virtual rather than physical machines are now used.
-
An extra level of indirection through a CNAME is used for the
metadata.ukfederation.org.ukDNS name.
-
-
Section 4.2.2 (“Aggregate Structure”) no longer anticipates structured (nested) aggregates as a possible future direction.
-
Section 4.3 (“Metadata Query Publication”) has been added to document the availability of metadata using the Metadata Query Protocol (MDQ) described in [MDQuery] and [MDQuerySAML].
-
Section 4.5 (“Support for Compression”) has been added to document the Metadata Publication Service’s ability to compress metadata documents returned to clients.
-
The “WAYF” endpoint to the Central Discovery Service (CDS) has been deprecated, and moved from section 5.2.2.1 to section 5.2.2.3 (“Deprecated Endpoints”)
Although no date has yet been set for the removal of the WAYF endpoint, service provider deployers are advised to migrate to the DS protocol endpoint as described in section 5.2.2.1 to avoid future disruption.
-
The “test” endpoints to the Central Discovery Service (CDS) were removed from the service interface as part of a move to new infrastructure in Summer 2016 and are no longer available. This is now documented in section 5.2.2.2 (“Test Endpoints”).
-
Documentation of the previously deprecated “
all.wayf” endpoint of the Central Discovery Service (CDS) has been removed from section 5.2.2.3 (“Deprecated Endpoints”) as the endpoint has been retired. -
Added references for [MACEAttr], [RFC7230], [RFC7231], [RFC7232], [RFC8174], [RFC8409] and [SAML2Core].
-
Removed unused references.
-
Updated the [FIPS180-4] reference from the draft specification to the final publication.
-
The “Entity Categories” specification has become [RFC8409].