New metadata validation requirements based on the federation Technical Profile 1.0.0 are being enforced in Federationsadmin.
Summary of Enforced Sections (as of June 2025)
| Section | Title | Applies to | Implemented |
|---|---|---|---|
| 2.1.3 | errorURL | Identity Providers (IdPs) | X June 2025 |
| 2.1.6 | SAML certificates (signing) | Identity Providers | X June 2025 |
| 3.1.4 | SAML certificates (encryption) | Service Providers (SPs) | X June 2025 |
| 3.1.6 | RequestedAttributes | Service Providers | X June 2025 |
Section 2.1.3 – errorURL
Implemented: X June 2025
Requirement:
An Identity Provider MUST include an errorURL element in its metadata.
“A Relying Party may use the errorURL of an Identity Provider to assist users in resolving login issues.”
IdPs SHOULD follow the SAML V2.0 Metadata Deployment Profile for errorURL.
Example:
<md:IDPSSODescriptor errorURL="https://example.com/ERRORURL_CODE">
Action: Ensure your IdP metadata contains a reachable errorURL.
Generic errorURL
A generic errorURL is provided by Skolfederation as an example. More info <here>(länka till en sida som beskriver den)
Section 2.1.6 – SAML certificates (signing)
Implemented: X June 2025
Requirement:
An Identity Provider MUST include at least one signing certificate.
“A KeyDescriptor element with no
useattribute or one set tosigning.”
Example with use attribute set to signing:
<md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> <example-certificate-contents> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>
Example with no use attribute set:
<md:KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> <example-certificate-contents> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>
Action: Verify that a valid signing certificate is present in your metadata.
Section 3.1.4 – SAML certificates (encryption)
Implemented: X June 2025
Requirement:
A Service Provider MUST include at least one encryption certificate.
“A KeyDescriptor element with no
useattribute or one set toencryption.”
Example with use attribute set to encryption:
<md:KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> <example-certificate-contents> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>
Example with no use attribute set:
<md:KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> <example-certificate-contents> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>
Action: Ensure your SP metadata includes a valid encryption certificate.
Section 3.1.6 – Requested Attributes (SP)
Implemented: X May 2025
Requirement:
- Must include at least one
AttributeConsumingService - Each
AttributeConsumingServicemust have:ServiceName(withxml:lang)ServiceDescription(withxml:lang)- At least one
RequestedAttribute
Each RequestedAttribute must include:
Namefrom the attribute profileFriendlyNamematching the same profileNameFormat=urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Example:
xml <AttributeConsumingService index="1"> <ServiceName xml:lang="en">Demo Service</ServiceName> <ServiceDescription xml:lang="en">Used for testing login functionality</ServiceDescription> <RequestedAttribute Name="urn:oid:1.2.752.29.4.13" FriendlyName="norEduPersonNIN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> </AttributeConsumingService>
Action: Add RequestedAttribute definitions that match the federation profile. Remember to use xml:lang for language tagging.
Enforcement Notes
The validator enforces these rules only when metadata is uploaded or updated. Existing metadata is unaffected unless resubmitted.
Need Help?
For validation help, you can:
- Use the external metadata validator,
- Review the technical profile,
- Contact your technical expertise for information how these rules affect your implementation,
- Contact us for any clarification: info@skolfederation.se