RNP > Services > CAFe > Technical specification

Protocol

The protocol used by the Federation for the exchange of information among its members is the SAML version 2.0 [1].

Software

The CAFe supports the Shibboleth [2] system in its versions 2.x. Other software compatible with the protocol set out by the Federation may be used, however, not supported by the RNP.

Operational System

The Federation supports the Linux operational system Ubuntu 4.10 LTS. Other operational systems may be used, however, not supported by the RNP.

Metadata

The CAFe’s metadata are made available in SAML 2.0 Metadata [1, 3] format.

Certificates

Certificates generated for providers must comply with the following restrictions:

• Distinguished Name: The Common Name field must be filled with the server fully qualified domain name (FQDN);
• Vigor: should not exceed three years, i.e., the time interval between the fields notBefore and notAfter shall be a maximum of 3 years;
• Signature Algorithm: you should use the RSA algorithm with SHA1 with RSA encryption;
• Key Size: a 2048-bit RSA key is recommended, but it must be at least 1024 bits;
• Extensions of key usage: it must have the extensions and Digital Signature key Encipherment agreed as true;
• Extensions of Extended Key Usage: for certificates of Identity Providers, the extention serverAuth must be set as true; for Service Providers, the extension ClientAuth must be set as true;
• Extension of basic restrictions: the certificate should not have the basic CA constraint set as true.

Attributes

It is recommended that Identity Providers are able to release the following attributes:

Once there are available attributes, the Identity Providers must make them available in the following format:

[1] Security Assertion Markup Language (SAML) v2.0.

[2] Shibboleth web page.

[3] SAML V2.0 Metadata Interoperability Profile.

[4] Definition of the inetOrgPerson LDAP Object Class (RFC2798).

[5] eduPerson Object Class Specification (200806).

[6] Esquema brEduPerson.