====== eduID.cz metadata profile ======

SAML entities of eduID.cz members provide their metadata conforming to [[http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf|Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0]] and [[http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.pdf|OASIS SAML V2.0 Metadata Interoperability Profile Version 1.0]]. In addition, their metadata must fulfill to the requirements specified in this document.

**XML namespaces used**
^Prefix^Namespace URL^
|''md''|''urn:oasis:names:tc:SAML:2.0:metadata''|
|''mdrpi''|''urn:oasis:names:tc:SAML:metadata:rpi''|
|''mdui''|''urn:oasis:names:tc:SAML:metadata:ui''|
|''shibmd''|''urn:mace:shibboleth:metadata:1.0''|

===== Common rules (both IdPs and SPs) =====
  - the root element ''md:EntityDescriptor'' must contain the ''entityID'' attribute
    - ''entityID'' must be defined as a URL with ''https'' scheme
    - //hostname// in ''entityID'' URL must be a fully qualified domain name (IP address, "localhost" and other reserved domain names according to  [[http://tools.ietf.org/html/rfc2606|RFC 2606]] are not acceptable)
  - endpoints 
    - must be defined as URLs with the ''https'' scheme
    - their //hostnames// must be provided as fully qualified domain names
    - the //hostnames// must be registered by the organization operating the pertinent Entity
  - public keys of Entities
    - should be provided as self-signed X.509 certificates (Note: //eduID.cz// stops publishing an EntityDescriptor as soon as the validity of any of its certificates becomes shorter than 30 days)
    - should be RSA public keys with minimal length of 2048 bites
  - element ''md:Organization''
    - Every ''md:EntityDescriptor'' must contain exactly one ''md:Organization'' element
    - ''md:Organization'' describes organization operating the Entity, not project names, department names - for those use mdui elements
    - ''md:Organization'' must contain element ''md:OrganizationName'' with the official name of the organization operating the Entity in English and in Czech, usage of abreviation is strongly unrecommended
    - ''md:Organization'' must contain element ''md:OrganizationDisplayName'' with the commonly recognized name of the organization operating the Entity in English and in Czech, usage of abreviation and legal form is strongly unrecommended    
    - ''md:Organization'' must contain element ''md:OrganizationURL'' specifying the location with additional information about the organization operating the Entity in English and in Czech
  - ''md:ContactPerson''
    - every ''md:EntityDescriptor'' must contain at least one element ''md::ContactPerson'' with ''contactType="technical"'' containing ''md:GivenName'', ''md:SurName'' and ''md:EmailAddress'' refering to a technical contact person with a working email address
  - Role Descriptors
    - each ''md:IDPSSODescriptor'', ''md:SPSSODescriptor'', ''md:AttributeAuthorityDescriptor'' should contain ''md:Extensions'' with ''mdui:UIInfo'' containing at least the following elements:
      - ''mdui:DisplayName'' with the display name of the entity in English and in Czech, usage of abreviation and legal form is strongly unrecommended
      - ''mdui:Description'' with the description name of the entity in English and in Czech

===== Identity Providers  =====
  - ''md:IDPSSODescriptor''
    - must contain ''md:Extensions'' containing ''shibmd:Scope''
      * the value of ''shibmd:Scope'' must be unique - preferably the main registered DNS domain of the organization operating the pertinent IdP
    - at least one ''md:NameIDFormat''
      * at least one ''md:NameIDFormat'' must be ''urn:oasis:names:tc:SAML:2.0:nameid-format:transient''
      * at least one ''md:NameIDFormat'' should be ''urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'', it is strogly advised to support persistent NameIDFormat
    - must contain ''md:Extensions'' with ''mdui:UIInfo'' containing
      - ''mdui:DisplayName'' with the commonly recognized name of the organization operating the Entity in English and in Czech
        * usage of abreviation is strongly unrecommended
        * usage of legal form is strongly unrecommended
        * if there are any organization units, they should be writen from most significant to less significant (ie. CESNET, Department of Standartization)
      - ''mdui:Description'' with short description of the purpose of IdP in English and in Czech
      - ''mdui:InformationURL'' with URL holding more informations about the IdP in English and in Czech, not about the organization running the IdP
      - ''mdui:Logo'' with HTTPS (!) URL holding logo of the organization operating the Entity
        * English and Czech version of the logo is posible if needed
        * there should be at least one version of the logo disignated to [[cs:tech:wayf:idp|WAYF/DS]] operated by eduID.cz with height 40px
      - entity requesting to be republished into eduGAIN must provide those elements

===== Service Provider =====
  - ''md:SPSSODescriptor''
    - must contain ''md:Extensions'' with ''mdui:UIInfo'' containing
      - ''mdui:DisplayName'' with the display name of the entity in English and in Czech, ussage of abreviation and legal form is strongly unrecommended
      - ''mdui:Description'' with the description of the entity in English and in Czech
        * this information might be used at an IdP to inform users about purpose of the SP
      - ''mdui:InformationURL'' with URL holding more informations about the SP in English and in Czech, not about the organization running the SP    
    - each ''md:SPSSODescriptor'' should contain ''md:AttributeConsumingService'' that lists all attributes requested by this SP as ''md:RequestedAttribute'' element with ''isRequired="true"'' for required attributes and ''isRequired="false"'' for just usefull attributes