-
Notifications
You must be signed in to change notification settings - Fork 4
Home
SAML-validator is a simple script written in PHP to validate SAML metadata. It consists of various tests that metadata has to pass before it is accepted to Czech academic identity federation eduID.cz or Testbed federation czTestFed.
The page speaks depending on the browser language -- if set to Czech or Slovak it speaks Czech, otherwise it speaks English.
This tool currently includes the following tests:
- Validity against
saml-schema-metadata-2.0.xsd
schema. - Validity agains
sstc-saml-metadata-ui-v1.0.xsd
schema. - Certificates have to be valid and the public keys have to satisfy the bit-size condition. 30 days (
$CERTIFICATE_VALIDITY
variable) and 2048 bits ($KEY_SIZE
variable) are the default values [1]. - Precisely one
<shibmd:Scope>
element is required within<md:IDPSSODescriptor>
element and zero or one is allowed within<md:AttributeAuthorityDescriptor>
element [2]. - The
regexp
attribute of all<shibmd:Scope>
elements must be equal to false value [3]. - The value of a
<shibmd:Scope>
elements must be equal to a substring of anentityID
of the entity [3]. - Elements
<mdui:DisplayName>
,<mdui:Description>
and<mdui:InformationURL>
contained within<mdui:UIInfo>
element must be present in Czech (xml:lang="cs"
) and English (xml:lang="en"
) language. - An element
<mdui:Logo>
contained within<mdui:UIInfo>
is mandatory for Identity Providers in order to show an icon in WAYF/DS. The logo is downloaded from the URL to test presence. Its filetype must be a standard raster image (such as JPG, PNG, GIF, etc.) or a vector SVG image (a XML document with the<svg>
root element). In case of a raster image, its dimensions are compared to width/height attributes of<Logo>
element -- they must be the same. - Metadata must contain excatly one
<md:Organization>
element with<md:OrganizationName>
,<md:OrganizationDisplayName>
and<md:OrganizationURL>
elements in both Czech (xml:lang="cs"
) and English (xml:lang="en"
) language. - At least one
<md:ContactPerson>
element withcontactType="technical"
attribute must be present and contain<md:GivenName>
,<md:SurName>
and<md:EmailAddress>
elements. - A correct content of
<eduidmd:RepublishRequest>
element for eduGAIN export or no<eduidmd:RepublishRequest>
element at all is required. - All URL addresses (
<mdui:Logo>
,<md:SingleSignOnService>
,<md:SingleLogoutService>
,<md:AssertionConsumerService>
, etc.) andentityID
attribute of<md:EntityDescriptor>
element must be HTTPS. - SAML 2.0 binding (
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
attribute) defined within<md:AttributeService>
element requires SAML 2.0 token (protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
attribute) in<md:AttributeAuthorityDescriptor>
element.
[1] In order to allow proper certificate roll over, the odd certificates might be expired or have a key bit-size lesser than defined.
[2] We do not allow any IdP to have more than one <shibmd:Scope>
presently. It might change in the future though.
[3] This might change in case of a justified reason for a particular entity.
There are two ways to test a metadata. Either by uploading a metadata file or by defining an URL address where a metadata can be downloaded from. In the latter option HTTPS is required. We don't accept plain HTTP (end points, etc.) within federation, anyway.
In order to skip a test, it is possible to pass HTTP GET variable skipCheck
with a list of checks to be skipped. For the list of checks see validator.php
and look for check*()
functions.
Currently only checkScopeValue
option supported.
When the above tests are finished a XML document with the result is generated.
- In case of no error or warning, the resulting XML document contains just a
0
(zero) as a value in<returncode>
element and<message>
element is empty:
<?xml version="1.0" encoding="UTF-8"?>
<validation>
<returncode>0</returncode>
<message></message>
</validation>
- In case of an error (in the following example HTTP schema in
entityID
attribute of<md:EntityDescriptor>
element) or warning, the resulting XML document contains a2
(two) as a value in<returncode>
element and a human readable error in<message>
element:
<?xml version="1.0" encoding="UTF-8"?>
<validation>
<returncode>2</returncode>
<message>HTTP found in entityID. </message>
</validation>
You are free to download, change and use this script for you own SAML metadata validations, be it for you federation or just for metadata validation before requesting it to register in any SAML federation.
The very simple installation process is described in the README.md file.
The script requires a web server (for example Apache, nginx, lighttpd, etc.) with a PHP support and the PHP requires support for XML.
-
Debian:
# apt install apache2 php php-xml
-
Gentoo:
# echo 'dev-lang/php exif gd xmlwriter' >> /etc/portage/package.use/php
# emerge www-servers/apache dev-lang/php
To integrate SAML-validator to Jagger follow this procedure:
- Log in to Jagger as a user with appropriate privileges and go to Federations.
- Select desired federation by clicking on its name, navigate to Validators tab and click Add button.
- Type desired validator name, i.e.
Example.org
, in Federation validator name. - Check Enabled check box by clicking on it.
- Check Enabled on provider registraion page check box by clicking on it.
- Check Mandatory check box by clicking on it. This causes metadata not passing the validations being unable to register.
- Type desired description, i.e.
Example.org federation validator
, in Description. - Type the URL of your SAML-validator with trailing
?
symbol, i.e.https://www.example.org/saml-validator/validator.php?
, in URL of federation validator. - Type
GET
in HTTP Method. - Type
filename
in Arg name where entity metadata will be assigned to. - To skip, for example, checking
<shibmd:Scope>
value, typeskipCheck$:$checkScopeValue
in Optional args to be sent in POST/GET. - Type
&
in Args separator in URL (GET). - Type
returncode
in Elements names containing return code. - Type
0
in Expected value for success. - Type
1
in Expected value for warning. - Type
2
in Expected value for error. - Type
3
in Expected value for critical. - Type
message
in Elements names containing message.