New metadata validation requirements based on the federation Technical Profile 1.0.0 are being enforced in Federationsadmin.
Summary of Enforced Sections (as of May 2025)
| Section | Title | Applies to |
|---|---|---|
| 2.1.3 | errorURL | Identity Providers (IdPs) |
| 2.1.6 | SAML certificates (signing) | Identity Providers |
| 3.1.4 | SAML certificates (encryption) | Service Providers (SPs) |
| 3.1.6 | RequestedAttributes | Service Providers |
Section 2.1.3 – errorURL (IdP)
Implemented: X May 2025
Requirement:
An Identity Provider MUST include an errorURL element in its metadata.
“A Relying Party may use the errorURL of an Identity Provider to assist users in resolving login issues.”
IdPs SHOULD follow the SAML V2.0 Metadata Deployment Profile for errorURL.
Example:
xml <IDPSSODescriptor ...> <errorURL>https://idp.example.org/login-error</errorURL> </IDPSSODescriptor>
Action: Ensure your IdP metadata contains a reachable errorURL.
Section 2.1.6 – Signing Certificate (IdP)
Implemented: X May 2025
Requirement:
An Identity Provider MUST include at least one signing certificate.
“A KeyDescriptor element with no
useattribute or one set tosigning.”
Example:
xml <KeyDescriptor use="signing"> <KeyInfo> <X509Data> <X509Certificate>MIID...snip...</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor>
Action: Verify that a valid signing certificate is present in your metadata.
Section 3.1.4 – Encryption Certificate (SP)
Implemented: X May 2025
Requirement:
A Service Provider MUST include at least one encryption certificate.
“A KeyDescriptor element with no
useattribute or one set toencryption.”
Example:
xml <KeyDescriptor use="encryption"> <KeyInfo> <X509Data> <X509Certificate>MIIF...snip...</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor>
Action: Ensure your SP metadata includes a valid encryption certificate.
Section 3.1.6 – Requested Attributes (SP)
Implemented: X May 2025
Requirement:
- Must include at least one
AttributeConsumingService - Each
AttributeConsumingServicemust have:ServiceName(withxml:lang)ServiceDescription(withxml:lang)- At least one
RequestedAttribute
Each RequestedAttribute must include:
Namefrom the attribute profileFriendlyNamematching the same profileNameFormat=urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Example:
xml <AttributeConsumingService index="1"> <ServiceName xml:lang="en">Demo Service</ServiceName> <ServiceDescription xml:lang="en">Used for testing login functionality</ServiceDescription> <RequestedAttribute Name="urn:oid:1.2.752.29.4.13" FriendlyName="norEduPersonNIN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> </AttributeConsumingService>
Action: Add RequestedAttribute definitions that match the federation profile. Remember to use xml:lang for language tagging.
Enforcement Notes
The validator enforces these rules only when metadata is uploaded or updated. Existing metadata is unaffected unless resubmitted.
Need Help?
For validation help, you can:
- Use the external metadata validator,
- Review the technical profile,
- Contact your technical expertise for information how these rules affect your implementation,
- Contact us for any clarification: info@skolfederation.se