RNP - Rede Nacional de Ensino e Pesquisa

english | español




The protocol used by the Federation for the exchange of information among its members is the SAML version 2.0 [1].


The CAFe supports the Shibboleth [2] system in its versions 2.x. Other software compatible with the protocol set out by the Federation may be used, however, not supported by the RNP.

Operational System

The Federation supports the Linux operational system Ubuntu 4.10 LTS. Other operational systems may be used, however, not supported by the RNP.


The CAFe’s metadata are made available in SAML 2.0 Metadata [1, 3] format.


Certificates generated for providers must comply with the following restrictions:

  • Distinguished Name: The Common Name field must be filled with the server fully qualified domain name (FQDN);
  • Vigor: should not exceed three years, i.e., the time interval between the fields notBefore and notAfter shall be a maximum of 3 years;
  • Signature Algorithm: you should use the RSA algorithm with SHA1 with RSA encryption;
  • Key Size: a 2048-bit RSA key is recommended, but it must be at least 1024 bits;
  • Extensions of key usage: it must have the extensions and Digital Signature key Encipherment agreed as true;
  • Extensions of Extended Key Usage: for certificates of Identity Providers, the extention serverAuth must be set as true; for Service Providers, the extension ClientAuth must be set as true;
  • Extension of basic restrictions: the certificate should not have the basic CA constraint set as true.


It is recommended that Identity Providers are able to release the following attributes:

Attribute Description Source
cn User surname inetOrgPerson [4]
sn User e-mail address inetOrgPerson [4]
mail User's unique identifier within the federation. Format: identificador@domínio inetOrgPerson [4]
eduPersonPrincipalName Identificador único do usuário dentro da federação. Formato: identificador@domínio eduPerson [5]
brEduAffiliationType Type of link between users and the institution. Vocabulary: faculty, student, staff, position, scholarshipawardee, other brEduPerson [6]

Once there are available attributes, the Identity Providers must make them available in the following format:

Fonte SAML 1.1 SAML 2.0
inetOrgPerson urn:mace:dir:attribute-def: urn:oid:
eduPerson urn:mace:dir:attribute-def: urn:oid:
brEduPerson urn:mace:rnp.br:attribute-def: urn:oid:

[1] Security Assertion Markup Language (SAML) v2.0.

[2] Shibboleth web page.

[3] SAML V2.0 Metadata Interoperability Profile.

[4] Definition of the inetOrgPerson LDAP Object Class (RFC2798).

[5] eduPerson Object Class Specification (200806).

[6] Esquema brEduPerson.