Skip to content

Home

Jump to bottom Edit New page
Jan Oppolzer edited this page Aug 2, 2018 · 24 revisions

SAML-validator Wiki

SAML-validator is a simple script written in PHP to validate SAML metadata. It consists of various tests that metadata has to pass before it is accepted to Czech academic identity federation eduID.cz or Testbed federation czTestFed.

The page speaks depending on the browser language -- if set to Czech or Slovak it speaks Czech, otherwise it speaks English.

Available Tests

This tool currently includes the following tests:

  1. Validity against saml-schema-metadata-2.0.xsd schema.
  2. Validity agains sstc-saml-metadata-ui-v1.0.xsd schema.
  3. Certificates have to be valid and the public keys have to satisfy the bit-size condition. 30 days ($CERTIFICATE_VALIDITY variable) and 2048 bits ($KEY_SIZE variable) are the default values [1].
  4. Precisely one <shibmd:Scope> element is required within <md:IDPSSODescriptor> element and zero or one is allowed within <md:AttributeAuthorityDescriptor> element [2].
  5. The regexp attribute of all <shibmd:Scope> elements must be equal to false value [3].
  6. The value of a <shibmd:Scope> elements must be equal to a substring of an entityID of the entity [3].
  7. Elements <mdui:DisplayName>, <mdui:Description> and <mdui:InformationURL> contained within <mdui:UIInfo> element must be present in Czech (xml:lang="cs") and English (xml:lang="en") language.
  8. An element <mdui:Logo> contained within <mdui:UIInfo> is mandatory for Identity Providers in order to show an icon in WAYF/DS. The logo is downloaded from the URL to test presence. Its filetype must be a standard raster image (such as JPG, PNG, GIF, etc.) or a vector SVG image (a XML document with the <svg> root element). In case of a raster image, its dimensions are compared to width/height attributes of <Logo> element -- they must be the same.
  9. Metadata must contain excatly one <md:Organization> element with <md:OrganizationName>, <md:OrganizationDisplayName> and <md:OrganizationURL> elements in both Czech (xml:lang="cs") and English (xml:lang="en") language.
  10. At least one <md:ContactPerson> element with contactType="technical" attribute must be present and contain <md:GivenName>, <md:SurName> and <md:EmailAddress> elements.
  11. A correct content of <eduidmd:RepublishRequest> element for eduGAIN export or no <eduidmd:RepublishRequest> element at all is required.
  12. All URL addresses (<mdui:Logo>, <md:SingleSignOnService>, <md:SingleLogoutService>, <md:AssertionConsumerService>, etc.) and entityID attribute of <md:EntityDescriptor> element must be HTTPS.
  13. SAML 2.0 binding (Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" attribute) defined within <md:AttributeService> element requires SAML 2.0 token (protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" attribute) in <md:AttributeAuthorityDescriptor> element.

[1] In order to allow proper certificate roll over, the odd certificates might be expired or have a key bit-size lesser than defined.
[2] We do not allow any IdP to have more than one <shibmd:Scope> presently. It might change in the future though.
[3] This might change in case of a justified reason for a particular entity.

Testing Options

There are two ways to test a metadata. Either by uploading a metadata file or by defining an URL address where a metadata can be downloaded from. In the latter option HTTPS is required. We don't accept plain HTTP (end points, etc.) within federation, anyway.

Skipping Tests

In order to skip a test, it is possible to pass HTTP GET variable skipCheck with a list of checks to be skipped. For the list of checks see validator.php and look for check*() functions.

Currently only checkScopeValue option supported.

Result

When the above tests are finished a XML document with the result is generated.

  • In case of no error or warning, the resulting XML document contains just a 0 (zero) as a value in <returncode> element and <message> element is empty:
<?xml version="1.0" encoding="UTF-8"?>
<validation>
    <returncode>0</returncode>
    <message></message>
</validation>
  • In case of an error (in the following example HTTP schema in entityID attribute of <md:EntityDescriptor> element) or warning, the resulting XML document contains a 2 (two) as a value in <returncode> element and a human readable error in <message> element:
<?xml version="1.0" encoding="UTF-8"?>
<validation>
    <returncode>2</returncode>
    <message>HTTP found in entityID. </message>
</validation>

Installation

You are free to download, change and use this script for you own SAML metadata validations, be it for you federation or just for metadata validation before requesting it to register in any SAML federation.

The very simple installation process is described in the README.md file.

Requirements

The script requires a web server (for example Apache, nginx, lighttpd, etc.) with a PHP support and the PHP requires support for XML.

  • Debian:
    # apt install apache2 php php-xml

  • Gentoo:
    # echo 'dev-lang/php exif gd xmlwriter' >> /etc/portage/package.use/php
    # emerge www-servers/apache dev-lang/php

Jagger Integration

To integrate SAML-validator to Jagger follow this procedure:

  1. Log in to Jagger as a user with appropriate privileges and go to Federations.
  2. Select desired federation by clicking on its name, navigate to Validators tab and click Add button.
  3. Type desired validator name, i.e. Example.org, in Federation validator name.
  4. Check Enabled check box by clicking on it.
  5. Check Enabled on provider registraion page check box by clicking on it.
  6. Check Mandatory check box by clicking on it. This causes metadata not passing the validations being unable to register.
  7. Type desired description, i.e. Example.org federation validator, in Description.
  8. Type the URL of your SAML-validator with trailing ? symbol, i.e. https://www.example.org/saml-validator/validator.php?, in URL of federation validator.
  9. Type GET in HTTP Method.
  10. Type filename in Arg name where entity metadata will be assigned to.
  11. To skip, for example, checking <shibmd:Scope> value, type skipCheck$:$checkScopeValue in Optional args to be sent in POST/GET.
  12. Type & in Args separator in URL (GET).
  13. Type returncode in Elements names containing return code.
  14. Type 0 in Expected value for success.
  15. Type 1 in Expected value for warning.
  16. Type 2 in Expected value for error.
  17. Type 3 in Expected value for critical.
  18. Type message in Elements names containing message.
Add a custom footer
Add a custom sidebar
Clone this wiki locally