Summary of Enforced Sections (as of June 2025)

Section 2.1.3 – errorURL

Implemented: X June 2025

Requirement:
An Identity Provider MUST include an errorURL element in its metadata.

“A Relying Party may use the errorURL of an Identity Provider to assist users in resolving login issues.”

IdPs SHOULD follow the SAML V2.0 Metadata Deployment Profile for errorURL.

Example:

<md:IDPSSODescriptor errorURL="https://example.com/ERRORURL_CODE">

Action: Ensure your IdP metadata contains a reachable errorURL.

Generic errorURL

A generic errorURL is provided by Skolfederation as an example. More info <here>(länka till en sida som beskriver den)

Section 2.1.6 – SAML certificates (signing)

Implemented: X June 2025

Requirement:
An Identity Provider MUST include at least one signing certificate.

“A KeyDescriptor element with no use attribute or one set to signing.”

Example with use attribute set to signing:

<md:KeyDescriptor use="signing">
 	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Example with no use attribute set:

<md:KeyDescriptor>
	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Action: Verify that a valid signing certificate is present in your metadata.

Section 3.1.4 – SAML certificates (encryption)

Implemented: X June 2025

Requirement:
A Service Provider MUST include at least one encryption certificate.

“A KeyDescriptor element with no use attribute or one set to encryption.”

Example with use attribute set to encryption:

<md:KeyDescriptor use="encryption">
 	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Example with no use attribute set:

<md:KeyDescriptor>
	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
				<example-certificate-contents>
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</md:KeyDescriptor>

Action: Ensure your SP metadata includes a valid encryption certificate.

Section 3.1.6 – Requested Attributes (SP)

Implemented: X May 2025

Requirement:

• Must include at least one AttributeConsumingService
• Each AttributeConsumingService must have:
  • ServiceName (with xml:lang)
  • ServiceDescription (with xml:lang)
  • At least one RequestedAttribute

Each RequestedAttribute must include:

• Name from the attribute profile
• FriendlyName matching the same profile
• NameFormat = urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Example:

xml <AttributeConsumingService index="1"> <ServiceName xml:lang="en">Demo Service</ServiceName> <ServiceDescription xml:lang="en">Used for testing login functionality</ServiceDescription> <RequestedAttribute Name="urn:oid:1.2.752.29.4.13" FriendlyName="norEduPersonNIN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> </AttributeConsumingService>

Action: Add RequestedAttribute definitions that match the federation profile. Remember to use xml:lang for language tagging.

Enforcement Notes

The validator enforces these rules only when metadata is uploaded or updated. Existing metadata is unaffected unless resubmitted.

Need Help?

For validation help, you can:

• Use the external metadata validator,
• Review the technical profile,
• Contact your technical expertise for information how these rules affect your implementation,
• Contact us for any clarification: info@skolfederation.se