UK federation Operational Information

Federation metadata

Availability and integrity of UK federation metadata

You can download the production UK federation metadata from:

http://metadata.ukfederation.org.uk/ukfederation-metadata.xml

UK federation metadata should be accessed through the DNS name metadata.ukfederation.org.uk, which resolves to both IPv4 and IPv6 addresses (A and AAAA records). These DNS records have a low time-to-live value (currently 5 minutes) to allow rapid reconfiguration of the Metadata Publication Service to be performed. Full details may be found in section 4 of the UK federation Federation Technical Specifications.

Integrity of our metadata can be checked by verifying the digital signature on the document. You can download the certificate used to verify the signature from ukfederation.pem. Your identity provider or service provider must be configured to verify the signature for each new metadata file downloaded.

As this certificate is initially obtained over HTTP, you should not rely on it until you have checked the certificate's fingerprint by phone with the UK federation help desk. You can find instructions on how to calculate the certificate fingerprint here.

You should compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact us by telephone. Our phone number can be found on the federation helpdesk contact information page, or you can use an independent source to find it. Full details can be found in section 4 of the UK federation Technical Recommendations for Participants.

We are often asked "why do you not serve metadata over HTTPS to protect against man-in-the-middle attacks?". TLS provides confidentiality during transfer and integrity checking, for sure. The third security property -- authenticity -- is provided by the certificate that protects the TLS connection. However, UK federation metadata is not confidential so we don't need transport encryption. Integrity and authenticity of the aggregate are provided by XML signatures as documented in the Technical Recommendations and Federation Technical Specification. This is message-level protection against man-in-the-middle attacks, rather than the transport-level protection that TLS can provide. It is the typical metadata publishing pattern for academic SAML federations.

Publishing Schedule

The UK federation normally makes updates to its published metadata aggregates once per working day (Monday to Friday). Please note the office is closed over the Christmas and New Year break as well as other UK Bank holidays.

The signing and publishing process includes manual checks and multiple scheduled processes, so we cannot guarantee a particular time at which metadata is published.

Once published, metadata takes some time to propagate around the UK federation. We cannot give an accurate estimate for how long this takes as the metadata is pulled from our servers by the individual entities. We say in the UK federation Technical Recommendations for Participants that a daily refresh operation should be regarded as normal (section 4.2), and we recommend that SPs check for updated metadata every 4 hours.

We usually publish updated metadata towards the end of the working day, that is to say late afternoon UK time. This means that the day's metadata updates will normally have propagated throughout the federation in time for the start of the next working day.

Testing new deployments

You can test your IdP configuration using this UK federation test service provider. See the UK federation test SP documentation page for more information.
The UK federation operates a test IdP that can be used for testing SP deployments. For more information please see the UK federation test IdP documentation page.

Attributes used in the UK federation

See Attribute usage for details.

History

The SDSS development federation was the forerunner of the UK federation.