CAF – Critical Configuration Policies

Configuring your Identity Provider or Service Provider is critical to the operation and security of the federation. The reference FIM software and the CANARIE IdP installer  are capable of adhering to these elements. Other software may not be. In cases where your chosen platform cannot meet these requirements, steps should be taken to mitigate the deficiency in order to be on equal footing as your peers in the federation. While FIM relies on the SAML2int and Kantara Interop profiles mentioned in Section 5, we consider the following items critical to participate in the federation operation and trust fabric: 

Entities MUST validate all production aggregates

Implementations MUST be able to validate the authenticity and integrity of SAML metadata by verifying an enveloped XML Signature attached to the root element of the metadata. Reference: Kantara Interop [IIP-MD03]

Entities SHOULD fetch aggregates in a timely fashion

Entities SHOULD fetch the FIM aggregates hourly to stay current with the latest metadata.

Entities SHOULD apply generally accepted security practices to their entity

Entities and their connected systems directly supporting FIM should be applying generally accepted security practices such as keeping software versions current and systems patched.

Entities SHOULD ensure federation metadata is accurate and complete

Organizations SHOULD keep CANARIE informed with their latest metadata, which should include Metadata User Interface (MDUI) information, a privacy URL, and technical, admin, and security contacts.