= '''WARNING!! This page is outdated and currently being replaced. Please do not rely on any information provided by it!!''' =

[[PageOutline(1-5,Table of Contents,pullout)]]

# SAML metadata about SPF SPs: distribution to identity federations by ERIC #

## Accepted SVN revisions (in preproduction and production) ##

Latest: [7121] and all earlier [https://trac.clarin.eu/log/aai/clarin-sp-metadata.xml revisions of clarin-sp-metadata.xml]

Newer revisions need manual approval and are not yet in the [https://infra.clarin.eu/aai/md_about_spf_sps.xml SAML metadata published by CLARIN]. (which includes both preproduction and production SPs)

## Service Providers in the production SPF ##

This means the SP entityID is whitelisted. Only the SPs that are whitelisted, will be filtered and passed on to the [https://infra.clarin.eu/aai/prod_md_about_spf_sps.xml production SAML metadata]. In order to be whitelisted an SP needs to have signed the SPF agreement.

All Service Providers in the production SPF will be registered automatically in DFN-AAI and via eduGAIN in [wiki:./eduGAIN various other federations]. 

### Accepted ###

See the [https://centres.clarin.eu/spf centre registry SPF page], all the SPs with a checked "Prod?" column.

### Waiting list ###

The following SPs are not yet fully functional. Therefore they have not yet been added to the production SPF:
 * [7111]+ (HAKA only) reason: pending on HAKA's decision on how to propagate CLARIN SPs metadata to them
 * LAP, [7049], reason: not yet working with CLARIN IdP
 * CLARIN-LT, [7101], Only missing eduID.cz (to be submmited)


## Actual distribution to national federations ##

||'''Submission round closing date'''||'''Included SVN revision(s)'''||'''[[./BE]]'''||'''[[./CZ]]'''||'''[[./FI]]'''||'''[[./NL]]'''||
||2017-06-15||[7122], [7123], [7127]||submitted: 2017-09-11 \\ updated: 2017-09-12 ||submitted: [7123] - 2017-09-11; [7122][7127] - not yet \\ updated:  not yet||submitted: not yet\\ updated: not yet ||submitted: [7127] - 2017-07-19; [7123] - 2017-09-11; [7122] - not yet \\ updated:   [7127] - 2017-07-21; [7123] - 2017-09-11; [7122] - not yet ||
||2017-04-12||[7114], [7118], [7119], [7121]||submitted: 2017-04-12 \\ updated: 2017-04-13: [7118], [7121]||submitted: 2017-04-12\\ updated:  2017-04-13||submitted: not yet\\ updated: not yet ||submitted: 2017-04-12\\ updated:  2017-04-12||
||2017-02-22||[7113]||submitted: 2017-02-28 \\ updated: 2017-04-13||submitted: 2017-02-28\\ updated:  2017-03-01||submitted: not yet\\ updated: not yet ||submitted: 2017-02-28\\ updated:  2017-02-28||
||2017-02-01||[7111]||submitted: 2017-02-01 \\ updated: 2017-02-14||submitted: 2017-02-01\\ updated:  2017-02-01||submitted: not yet\\ updated: not yet ||submitted: 2017-02-01\\ updated:  2017-02-01||
||2017-01-26||[7108], [7109]||submitted: 2017-01-25 \\ updated: 2017-01-25||submitted: 2017-01-26\\ updated: 2017-01-26||submitted: 2017-01-26\\ updated: 2017-01-27 ||submitted: 2017-01-26\\ updated: 2017-01-26||
||2016-12-15||[7095], [7102], [7104]||submitted: 2017-01-05 \\ updated: not yet||submitted: 2016-12-20\\ updated: 2016-12-21||submitted: not yet\\ updated: not yet ||submitted: 2016-12-20\\ updated: 2016-12-20||
||2016-08-25||[7046]||submitted: 2016-08-29 \\ updated: 2016-08-31||submitted: 2016-09-12 \\ reminder: 2016-10-19||submitted: 2016-09-12\\ updated: 2016-09-27||submitted: 2016-09-12 \\ updated: 2016-09-12||

Please note: for [wiki:./eduGAIN the other countries we use the eduGAIN metadata distribution]. Therefore they are not listed in the distribution matrix.

For an explanation about why this dual distribution mechanism is in use, please see the [https://www.clarin.eu/node/3869 opt-in page].

# Procedure for changing/adding and distributing new SAML metadata about SPF SPs #

Adding a new SP or changing SAML metadata about an existing one and distributing it is a complicated procedure.

1. Check new e-mails to `spf@clarin.eu` with subjects of the form `Commit (7047) by martynas.savickis@bpti.lt to SAML metadata about SPF SPs`.
2. Check [https://svn.clarin.eu/aai/clarin-sp-metadata.xml the single SAML metadata batch in the SVN] at all revisions recorded in the previous e-mails. Criteria are correctness and security (partly covered by the [https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp guidelines]).
3. Make an edit similar to [https://github.com/clarin-eric/pyFF_config/commit/3e676446c74e4f8262637392ff4fb881df37e274 this one] on `ems04.mpi.nl:/srv/Python/venvs/2014-11-20_SPF/etc/pyff_config/control.sh`. See the host page [/SystemAdministration/Hosts/ems04.mpi.nl ems04.mpi.nl] for info on `ems04.mpi.nl`. Also be sure to push the same change as a commit to the [https://github.com/clarin-eric/pyFF_config relevant Git repo].
4. Cron job 11 running under the superuser on `ems04.mpi.nl` will update the SAML metadata batch at https://infra.clarin.eu/aai/md_about_spf_sps.xml. The CLARIN IdP will use this preproduction batch.
5. Check [https://docs.google.com/spreadsheets/d/1cwg2kiPL2ubzmtw7Ffe0rbQuJpuOoklFHJ10nR3Bn_M/edit?usp=sharing this Google Sheets spreadsheet], sheet `md_about_spf_sps`. This sheet details the results of validation of this SAML metadata batch. Follow up with the committers (i.e., SP operators) on whether their submissions meet the [https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp guidelines] based on e.g. this sheet.
6. Once any validation issues have been resolved, organize [/ServiceProviderFederation/LoginTest login tests] for every new SP using the CLARIN IdP.
7. Next, mark every new SP entity as production SP. You can do this by adding the SP's entity ID to the list in `ems04.mpi.nl:/srv/Python/venvs/2014-11-20_SPF/etc/pyff_config/job_b.fd`. Again, also make that change over at the [https://github.com/clarin-eric/pyFF_config relevant Git repo].
8. Cron job 11 running under the superuser on `ems04.mpi.nl` will update the SAML metadata batches under https://infra.clarin.eu/aai/ (this time, including `prod_md_about_spf_sps.xml`).
9. To help everyone track new SPs and their registration statuses across identity federations, add the SPs to the [https://centres.clarin.eu Centre Registry]. 
10. Cronjob 17 running under user `www-data` on `ems04.mpi.nl` will use the information in the Centre Registry to analyze the SAML metadata batches under https://infra.clarin.eu/aai/ into useful pieces under [https://infra.clarin.eu/aai/sps_at_identity_federations/].
12. DFN-AAI ([[./DE]]) will pick up the mutations to [https://infra.clarin.eu/aai/prod_md_about_spf_sps.xml SAML metadata batch]. This will ensure that it is distributed throughout eduGAIN, and reviewed additionally by DFN-AAI.
13. Once DFN-AAI has picked up the new SP (and thus the SP is in eduGAIN), which you can determine via the [https://centres.clarin.eu/spf Centre Registry], add the SP to further identity federations. Click on the country code columns in the above table for details on the identity federation-specific procedure.
14. Finally, check whether any new SP has been registered for multiple identity federations using [https://technical.edugain.org/entities this eduGAIN webapp] (i.e., a clash). In case a clash is found, request the SP operator to remove the registration with any federation other than the CLARIN SPF.

# Issues with production SPs #

Please avoid expiring SAML signing certificates by doing a [https://www.switch.ch/aai/guides/sp/certificate-rollover/ certificate roll-over] on time.

 * SAML-signing certificate of http://www.clarin-pl.eu/shibboleth expires on Sun, 08 Jan 2017 11:48:16 +0100
 * Remedy: create new SAML metadata, sign with a valid certificate (could be self-signed)