en:tech:metadata-publication

Metadata

Metadata format

The eduID.cz federation requires metadata compatible with the SAML Metadata 2.0 specification.

:!: The metadata must containt information about the organization (the Organization element) and at least one technical contact (the ContactPerson element).

Metadata publication

Metadata publication is a process, in which the administrative contact responsible for the component (service provider) submits its metadata to the operator of the eduID.cz federation. The operator verifies the metadata and if they are valid, includes them in the federation metadata.

The eduID.cz federation requires that the metadata publication must be performed in a secure way and that only authorised personnel should submit metadata for a federation component. All members from the Czech academic community must use S/MIME signed emails for metadata submissions. Signing certificates are being issued by the CESNET CA. CESNET CA issues X509 certificates only to individuals who personally visit the CESNET RA Office.

The external members of the eduID.cz federation, especially those situated outside the Czech Republic, can use alternative ways of metadata submission. These alternative ways do not require any visits to the CESNET RA Office, but still guarantee high level of assurance that the metadata are being submitted by an authorised personnel and are not modified by a third party.

Publication by S/MIME signed email

The metadata need to be sent to eduid-admin@eduid.cz as an email attachment by the respective administrative contact. The email must contain details, that allow the sender to be verified. The sender address must be the same as the one registered in the appointment form and must contain valid S/MIME signature. The certificate used for the S/MIME signature must be issued to the person appointed as an administrative contact and must contain its registered email.

List of accepted CAs:

  • CESNET CA - this CA requires personal visit and is mainly working only for the Czech Academic Community. This CA is not suitable for external/foreign partners situated outside the Czech Republic.
  • Any accredited commercial CA. If the administrative contact has a personal certificate issued by a commercial CA, it may be used as well, but first the issuer CA should be accredited by the operator of the eduID.cz federation. Send your requests to eduid-admin@eduid.cz.

Publication by email and FAX or mail

The following method may be used as an alternative way of metadata submission, if there is no possibility to use S/MIME signed emails.

The metadata need to be sent to eduid-admin@eduid.cz as an email attachment by the respective administrative contact. The email must contain details, which allow the sender to be verified. The sender email address must be the same as the one registered in the appointment form.

Along with the email a metadata waybill must be faxed to number +420 224 313 211 or sent by post to address:

  eduID.cz admin
  CESNET, z. s. p. o.
  Zikova 4
  160 00 Praha 6
  Czech Republic

:!: Scanned versions sent by email will not be accepted.

SHA1 hash calculation on Linux

Simply use the program called sha1sum:

  semik@doma:$ sha1sum www.cesnet.cz.metadata.xml 
  51bbb62b3cd34dde716631bce445bb8ae39a906d  www.cesnet.cz.metadata.xml

SHA1 hash calculation on Windows

On Windows you must first download the fciv utility. The usage is simple:

  E:\>fciv -sha1 www.cesnet.cz.metadata.xml
  // File Checksum Integrity Verifier version 2.05.
  51bbb62b3cd34dde716631bce445bb8ae39a906d www.cesnet.cz.metadata.xml

SHA1 hash calculation on OS X

On Mac it is simple too:

  MacBook-jp:~ pavlik$ /usr/bin/openssl sha1 www.cesnet.cz.metadata.xml
  SHA1(www.cesnet.cz.metadata.xml)= 51bbb62b3cd34dde716631bce445bb8ae39a906d

Metadata distribution

The federation metadata are available at a location accessible through HTTP and maintained by the operator of the federation. The valid URLs as well as another tehcnical details are available in the Souhrn technických detailů section.

Poslední úprava:: 2017/02/10 07:02