Shibboleth Identity Provider (v2) Best Practice Checklist (for Edugate participants)

  • IDP login and error page should be customised
    • institution logo and style
    • helpdesk contact details.
    • render on mobile devices
    • show MDUI (Service provider logo, name and description)
    • Further recommendations here
  1. IDP Status URL should be monitored by HEAnet
  2. IDP should publish authentication statistics for consumption by HEAnet's Raptor.
  3. IDP should have a persistentID database and be capeable of providing nameid's in the persistent and transient format.
  4. IDP should have uApprove or other consent module (see the uApprove installation guide)
  5. IDP should refresh config every hour of the following;
  6. Remotely hosted attribute-filter file.
  7. locally hosted attribute-resolver.xml
  8. Circle metadata from the Edugate Registry
  9. IDP Operator should   monitor and login IdP dependencies;
    • LDAP connection
    • DB connection
    • IDP Status URLs
    • Diskspace
    • IDP SSL certificate expiry
    • Tomcat JVM
  10. IDP should handle connection timeouts to DB and LDAP gracefully and failover to 2nd LDAP or DB.
  11. IDP should narrow LDAP search to required attributes and relavent OU's only
  12. IDP should produce eduPersonScopedAffiliations for at least staff and student rather than the single value of member. Alumni and affiliate values should also be produced where possible
  13. RollingFileAppender should use .gz compression
  14. logging.xml should enable PROTOCOL_MESSAGE debug level
  15. Modsecurity should be installed and tuned in preparation for zero day attack
  16. Login page should use HTTP meta refresh to avoid stale login requests being submitted by users (e.g. after 30mins).