Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Current »

Contact Information in Metadata

The principal use of contact information in metadata is to enable effective communication between Federation participants, especially when systems fail, when users encounter problems, or when a security incident occurs.

A secondary function is to support user interfaces (UIs) but much of the contact information displayed by an identity provider or service provider (for example on error, discovery, login, or consent pages) is self-owned and therefore known by the presenting site. A notable exception is an identity provider contact suitable for brokering attribute release changes when users encounter failures accessing services because the Requested Attributes are not released to SPs.

CCC Contacts Registered with InCommon

Below are the four contacts required in Federation metadata and the CCC Contacts that align to them:

TypeDescriptionRegistered CCC ContactCorresponding Person
Technicaltechnical issues such as troubleshooting software, systems, or networking issues

sso_technicalcontact@ccctechcenter.org


Administrativenon-technical issues such as attribute release policy, on-boarding issues, privacy, assurance certification and assurance qualifiers, etc.sso_admincontact@ccctechcenter.org

Adrian Teo, Chief Technology Officer, ateo@ccctechcenter.org

Securitysecurity matters, especially for the purposes of Federated Security Incident Responsesso_securitycontact@ccctechcenter.org

Aamir Khan, Information Security Officer, akhan@ccctechcenter.org

Supportend-user technical support but may also handle questions from users regarding attribute release policy, user privacy, access issues relating to assurance, etc.sso_supportcontact@ccctechcenter.orgDavid Albrecht, Senior Systems Engineer, dalbrecht@ccctechcenter.org

User Scenarios 

This information was taken directly from InCommon website: Contacts in Metadata


Here are a number of hypothetical user scenarios that rely on contact information:

  • A user authenticates successfully at the IdP and is subsequently redirected to the SP. The SP software, seeing that the SAML assertion does not contain the desired attributes, links to the IdP's errorURL location, if available. In addition to displaying a message to the user, the SP software sends a back-channel message to an institutional administrative contact at the IdP, describing in detail the event that just occurred. The message includes a pointer to the SP's Requested Attributes in metadata.
  • A user encounters and reports a technical failure while accessing a service. The SP's support staff determine that the user's IdP is misconfigured (e.g., its clock is off), and informs the technical contact at the IdP.
  • A user encounters and reports a technical failure while accessing a service. The SP's support staff determine that the user's environment is at fault, and assists the user in informing the support contact at the IdP.
  • A user's assurance status is downgraded due to password compromise. They reset their password, but can't get to their grant submission site. The SP's support staff determine that the users assurance level is too low and assists the person in informing the support contact of the IdP.

Reliable contact information in metadata will enable workflows and scenarios such as those described above.

Technical Details

Here is an example of an appropriate set of <md:ContactPerson> elements in metadata:


<md:ContactPerson contactType="technical"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <md:GivenName>Technical Support Team</md:GivenName>
  <md:EmailAddress>mailto:tech_support@example.org</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="administrative"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <md:GivenName>Office of Administrative Support</md:GivenName>
  <md:EmailAddress>mailto:admin_support@example.org</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <md:GivenName>Help Desk</md:GivenName>
  <md:EmailAddress>mailto:help_desk@example.org</md:EmailAddress>
</md:ContactPerson>
  
<!-- there are two types of security contacts in metadata but both serve the same purpose -->
  
<!-- security contact with (legacy) InCommon syntax -->
<md:ContactPerson contactType="other"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:icmd="http://id.incommon.org/metadata"
     icmd:contactType="http://id.incommon.org/metadata/contactType/security">
  <md:GivenName>IT Security Office</md:GivenName>
  <md:EmailAddress>mailto:security@example.org</md:EmailAddress>
</md:ContactPerson>
 
<!-- security contact with REFEDS syntax -->
<md:ContactPerson contactType="other"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:remd="http://refeds.org/metadata"
     remd:contactType="http://refeds.org/metadata/contactType/security">
  <md:GivenName>IT Security Office</md:GivenName>
  <md:EmailAddress>mailto:security@example.org</md:EmailAddress>
</md:ContactPerson>
  • No labels