1 Introduction

This document specifies the detailed technical architecture of the UK Access Management Federation for Education and Research (the UK federation).

Familiarity with this document is not normally required for individual deployments; its primary audiences are developers of federation software and operators of partner federations. A companion document, the Technical Recommendations for Participants ([UKTRP]), provides specific technical recommendations for members of the federation based on these specifications.

1.1 Keeping Up To Date

Due to the rapidly changing nature of the software and standards associated with identity technologies, it will be necessary to update this document from time to time to reflect new developments. The latest version of this document can always be found on the federation web site (see [UKFTS]); federation members should review the latest version of this document periodically, and in any case whenever a new deployment is contemplated.

New editions of this and other federation technical documents, as well as other announcements thought to be relevant to federation members, are reported on the federation mailing list. The technical and administrative contacts listed for all entities registered with the UK federation are made members of the mailing list automatically; other addresses can be added to the list by request.

1.2 Document Status

This edition describes the UK federation with effect from its date of publication as shown on the cover page.

1.3 Notation

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Conventional XML namespace prefixes are used throughout this document to stand for their respective namespaces as follows:

Prefix XML Namespace Defined in
ds: http://www.w3.org/2000/09/xmldsig# [XMLSig]
idpdisc: urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol [IdPDisco]
md: urn:oasis:names:tc:SAML:2.0:metadata [SAML2Meta]
mdattr: urn:oasis:names:tc:SAML:metadata:attribute [MetaAttr]
mdrpi: urn:oasis:names:tc:SAML:metadata:rpi [SAML-Metadata-RPI-V1.0]
mdui: urn:oasis:names:tc:SAML:metadata:ui [SAML-Metadata-UI-V1.0]
saml2: urn:oasis:names:tc:SAML:2.0:assertion [SAML2Core]
saml2p: urn:oasis:names:tc:SAML:2.0:protocol [SAML2Core]
shibmd: urn:mace:shibboleth:metadata:1.0 [ShibMetaExt]
ukfedlabel: http://ukfederation.org.uk/2006/11/label This document.

This document uses the following typographical conventions in text:

The rationale behind certain technical decisions is called out in boxes like this.

Where appropriate, boxes like this are used to describe likely future developments in the area under consideration. These notes are provided to allow members to incorporate this information into planning activities.

If action is required by federation members in response to a change in this document, details are provided in boxes like this.

Details will normally include the action required and the date by which changes will need to be made.

1.4 Changes in this Edition

In the unlikely event that your deployment relies on the “triple scope” convention in UK federation metadata, you must act before 2021-11-01 to avoid issues when this transition occurs.

See section 3.5.2 for full details.

In the unlikely event that your deployment relies on the <ukfedlabel:UKFederationMember> element in UK federation metadata, you must act before 2021-11-01 to avoid issues when this transition occurs.

See section 3.6.1 for full details.

Although no date has yet been set for the removal of the WAYF endpoint, service provider deployers are advised to migrate to the DS protocol endpoint as described in section to avoid future disruption.