Note: The information on this page has been copied to ​http://www.clarin.eu/node/3481 (for public access). Please also change it there if a significant change is made.

CLARIN Central Discovery Service

The CLARIN central Discovery Service (DS) is based on DiscoJuice (version 1.0), see: ​http://discojuice.org/.

The goal is to provide an easy to use entry point for all CLARIN Service Provider Federation (SPF) Service Providers (SPs), which allows users to select an institutional Identity Provider (IdP) to log in to. By using the same Discovery Service users do not have to re-login or re-select their IdP when switching between SPs. A drawback of the central DS is the fact that it is a single point of failure. We are still looking into the best way to make the central DS highly available.

Status

Currently used at the catalog.clarin.eu SP, see e.g. the Component Registry: ​https://catalog.clarin.eu/ds/ComponentRegistry/ (click on login)

To configure

For Shibboleth Service Provider

In order to use the central Discovery Service, your Shibboleth Service Provider's configuration must have the right session initiator configuration. You can change this in the shibboleth2.xml configuration file. The Location attribute specifies the login endpoint you can use to append to your handler URLs (/Shibboleth.sso by default) to start a SAML session. The URL attribute of the session initiator of type SAMLDS should point to the DiscoJuice installation you want to use.

Please add to shibboleth2.xml:

  <!-- Use CLARIN central Discovery Service -->
  <SSO discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
    SAML2
  </SSO>

(A restart of shibd and a reload of your web server and is required afterwards.)

If you're using Shibboleth SP < version 2.4.x you must use the following, more verbose, snippet:

<SessionInitiator type="Chaining" Location="/DiscoJuice" id="DiscoJuice" relayState="cookie">
     <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
     <SessionInitiator type="Shib1" defaultACSIndex="5"/>
     <SessionInitiator type="SAMLDS" URL="https://discovery.clarin.eu/discojuice"/>
 </SessionInitiator>

For other Service Provider implementations (technical details)

The CLARIN central Discovery Service is not Shibboleth-specific, but complies with the ​SAML Identity Provider Discovery Service Protocol.

Your Service Provider should also follow this protocol. This means simply that you HTTP-redirect the user to the central Discovery Service.

In practice we use the following HTTP request parameters:

1. entityID: The unique identifier of the SP the end user is (or will be) interacting with, following successful authentication by an IdP.
2. return: The SAML endpoint to return the user to after selecting an IdP. Since the central Discovery Service is not yet using the idpdisc:DiscoveryResponse element you have to put in the SAML metadata about your SP you distribute to the CLARIN SPF, this parameter is required (as described in the ​Identity Provider Discovery Service Protocol and Profile).

An example when login in to the Component Registry [2]: ​https://discovery.clarin.eu/discojuice?entityID=https%3A%2F%2Fsp.catalog.clarin.eu&return=https%3A%2F%2Fcatalog.clarin.eu%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A602dd8144643cda1b50b0c5998caca437dffc418c6d9b184c6538faa996f49e4

As you can see there are no SAML statements included in the requests to or responses from the discovery service, just plain HTTP redirects.

Maintenance Policy

1. Maintenance on the WAYF and IdP services will be announced 1 week in advance on the (dev)mailing list.
2. We will plan maintenance in such a way that the day after a system administrator is available (unless something unexpected happens, e.g. breaking a leg or something).