Shibboleth Identity Provider (v2) Best Practice Checklist (for Edugate participants)
IDP login and error page should be customised
institution logo and style
helpdesk contact details.
render on mobile devices
show MDUI (Service provider logo, name and description)
IDP Status URL should be monitored by HEAnet
IDP should publish authentication statistics for consumption by HEAnet's Raptor.
IDP should have a persistentID database and be capeable of providing nameid's in the persistent and transient format.
IDP should have uApprove or other consent module (see the
uApprove installation guide) IDP should refresh config every hour of the following;
Remotely hosted attribute-filter file.
locally hosted attribute-resolver.xml
Circle metadata from the Edugate Registry
IDP Operator should monitor and login IdP dependencies;
IDP Status URLs
IDP SSL certificate expiry
IDP should handle connection timeouts to DB and LDAP gracefully and failover to 2nd LDAP or DB.
IDP should narrow LDAP search to required attributes and relavent OU's only
IDP should produce eduPersonScopedAffiliations for at least staff and student rather than the single value of member. Alumni and affiliate values should also be produced where possible
RollingFileAppender should use .gz compression
logging.xml should enable PROTOCOL_MESSAGE debug level
Modsecurity should be installed and tuned in preparation for zero day attack
Login page should use HTTP meta refresh to avoid stale login requests being submitted by users (e.g. after 30mins).