Versions Compared

Old Version 2

changes.mady.by.user Rasmus Larsson

Saved on

compared with

New Version 3

changes.mady.by.user Rasmus Larsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

New metadata validation requirements based on the federation Technical Profile 1.0.0 are being enforced in Federationsadmin.

Table of Contents

Summary of Enforced Sections (as of

...

June 2025)

SectionTitleApplies toImplemented
2.1.3errorURLIdentity Providers (IdPs)X June 2025
2.1.6SAML certificates (signing)Identity ProvidersX June 2025
3.1.4SAML certificates (encryption)Service Providers (SPs)X June 2025
3.1.6RequestedAttributesService ProvidersX June 2025

Section 2.1.3 – errorURL

...

Implemented: X May June 2025

Requirement:
An Identity Provider MUST include an errorURL element in its metadata.

...

IdPs SHOULD follow the SAML V2.0 Metadata Deployment Profile for errorURL.

Example:xml <IDPSSODescriptor ...> <errorURL>https

Code Block
<md:IDPSSODescriptor errorURL="https://

...

example.

...

com/ERRORURL_CODE">


Action: Ensure your IdP metadata contains a reachable errorURL.

Generic errorURL

A generic errorURL is provided by Skolfederation as an example. More info <here>(länka till en sida som beskriver den)

Section 2.1.6 –

...

SAML certificates (

...

signing)

Implemented: X May June 2025

Requirement:
An Identity Provider MUST include at least one signing certificate.

“A KeyDescriptor element with no use attribute or one set to signing.”

Example with use attribute set to signing:xml <KeyDescriptor

Code Block
<md:KeyDescriptor use="signing">

...


 	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Example with no use attribute set:

Code Block
<md:KeyDescriptor>
	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>


Action: Verify that a valid signing certificate is present in your metadata.

Section 3.1.4 –

...

SAML certificates (

...

encryption)

Implemented: X May June 2025

Requirement:
A Service Provider MUST include at least one encryption certificate.

“A KeyDescriptor element with no use attribute or one set to encryption.”

Example with use attribute set to encryption:xml <KeyDescriptor

Code Block
<md:KeyDescriptor use="encryption">

...


 	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Example with no use attribute set:

Code Block
<md:KeyDescriptor>
	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>


Action: Ensure your SP metadata includes a valid encryption certificate.

Section 3.1.6 – Requested Attributes (SP)

Implemented: X May 2025

Requirement:

...

Action: Add RequestedAttribute definitions that match the federation profile. Remember to use xml:lang for language tagging.

Enforcement Notes

The validator enforces these rules only when metadata is uploaded or updated. Existing metadata is unaffected unless resubmitted.

Need Help?

For validation help, you can:

...