[[PageOutline(1-5,Table of Contents,pullout)]] '''Note''': this page is in the process of being updated (Oct 2017) A good starting point for information about the Service Provider Federation is the public page https://www.clarin.eu/content/service-provider-federation This wiki page contains the nitty-gritty technical details. = [wiki:"./CLARIN IdP" CLARIN IdP] = See InfrastructureOverview#CLARINIdentityProvider = [wiki:"./Discovery" Central Discovery Service] = See InfrastructureOverview#DiscoveryService = Service Provider Federation = * for new SP admins: [https://clarin-eric.github.io/SPF-tutorial/Shib_SP_tutorial.html Full tutorial about setting up a shibboleth Service Provider] * for an overview about the metadata distribution in the SPF: [wiki:./DistributionMatrix Distribution Matrix: overview of manual SAML metadata updates] * Information about including logos in SAML metadata: [https://wiki.refeds.org/display/FBP/MDUI+-+Software+recommendations recommendations] and a related [http://access.jiscinvolve.org/wp/can-we-standardise-on-mdui/ standardization discussion] * [wiki:./LoginTest Login testing]: Manual testing of logins. * Recommendations on [https://www.switch.ch/aai/support/certificates/certificate-acceptance/ certificates]: use self-signed ones for the SAML metadata and well-accepted ones for your webserver. == Changing the SAML metadata about SPF SPs == * Fork the [https://github.com/clarin-eric/SPF-SPs-metadata CLARIN SPs metadata repository on github] * Commit your changes to the file corresponding to your SP in [https://github.com/clarin-eric/SPF-SPs-metadata/blob/master/metadata metadata/]. In case you are adding a new SP, add the metadata by creating a new file following the same naming convention: `[New SP File Name] = [SP entityID].replace("http(s)?://", "").replace("/", "%2F")` * Create a pull request from your modified fork to the ''master'' branch of the original repository. * After the pull request is created, Travis CI will automatically run the [https://github.com/clarin-eric/SAML-metadata-checker SAML metadata checker] to check the '''XSD validity''' of the file. You can monitor the check progress and result in the pull request page as in [https://github.com/clarin-eric/SPF-SPs-metadata/pull/184 this example]. Wait for the check to finish and make sure you get a green check-mark in the end. If instead you see a red ''X'' mark, please fix your commit based on TravisCI output information and update the pull request. To see the test output, click on the result icon (''V'' or ''X'') which takes you to the TravisCI interface. * When your pull request successfully passes XSD validation, a CLARIN SPF operator will merge it into the ''master'' branch of the original repository for QA assessment. '''Note''': the SPF operators will only consider for merging pull requests which are XSD valid. If you cannot make you file successfully pass the XSD validation or you believe you are hitting a false positive. Please create a [https://github.com/clarin-eric/SPF-SPs-metadata/issues/new github issue] explaining the problem. * After your pull request is merged, Travis CI will automatically analyze the latest ''master'' version and generate a QA report visible in [https://clarin-eric.github.io/SPF-SPs-metadata/web/master_qa_report.html this table].[[BR]]Wait for the new QA report to be generated: Travis CI will post a comment on your merged pull request indicating that the new QA report is available and for which SPs the QA report changed.[[BR]]Check the table for relevant entries respecting your SP and fix any outstanding issues following the [https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp CLARIN SP SAML metadata guidelines]. Then, create a new pull request containing any necessary fixes.[[BR]]During this stage your new metadata is already scheduled to be merged into the ''production'' branch and consequent propagation to the various identity federations. However, before this happens and depending on the QA results for your SP, you might be contacted by an SPF operator to fix or improve your metadata before propagation. * Finally your metadata will be merged into the ''production'' branch and picked up by an hourly cron job which automatically checks out the latest version and publishes it at http://infra.clarin.eu/aai/prod_clarin_sp_metadata.xml == How to add SAML metadata about the CLARIN IdP to your SP configuration == * See the [https://clarin-eric.github.io/SPF-tutorial/Shib_SP_tutorial.html#_specifying_spf_idps tutorial] == Information per Identity Federation == (original [https://refeds.terena.org/index.php/Federations source] no longer available)) === Haka (Finland) === cn, sn, displayName, eduPersonPrincipalName, schacHomeOrganization, schacHomeOrganizationType The major unique identifier: Currently, ePPN is the predominant unique ID. The federation operator has published instructions on use of ePTID but hasn't strongly insisted its use. === DFN-AAI === ==== attributes ==== sn, email, ePPN, ePSA, ePEntitlement, ePTID What is the predominant unique identifier for end users? * eduPersonPrincipalName (ePPN) * eduPersonTargetedID(ePTID)/SAML2 PersistentID Is there a policy for what should be used as the unique ID? No. === SURFconext === Mandatory attributes: No mandatory attributes The major unique identifier: eduPersonPrincipalName (ePPN) - there is no formal policy for what should be used as the unique ID === UK federation === See section 7 of http://www.ukfederation.org.uk/library/uploads/Documents/technical-recommendations-for-participants.pdf for the recommended attributes in the UK. == Requesting changes to the IdP blacklist == * See [wiki:ServiceProviderFederation/IdpBlacklist SPF blacklist] information page. == Attributes in the SPF == The '''minimal''' set of required attributes: * [http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonPrincipalName eduPersonPrincipalName] ''or'' [http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonTargetedID eduPersonTargetedID] The '''ideal''' set of attributes: * [http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonPrincipalName eduPersonPrincipalName] ''or'' [http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonTargetedID eduPersonTargetedID] * [https://rnd.feide.no/attribute/cn/ cn] (common name) * [https://rnd.feide.no/attribute/mail/ mail] * [https://rnd.feide.no/attribute/o/ o] (organizationName) ''or'' [http://wiki.rediris.es/gtschema/Iriseduperson#schacHomeOrganization schacHomeOrganization] === Attribute release === * [https://lindat.mff.cuni.cz/secure/attributes.xml automatically produced, current overview] * [http://www.clarin.eu/page/3578 older (outdated, manually maintained) overview] == Attributes requested by SPF services == These should be listed in the SAML metadata about the SP - see recommendation 8 (attributeconsumingservice) of https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp = Service Provider outside of the SPF = Sometimes a service provider and CLARIN reach an agreement about enabling login with CLARIN user accounts for that specific SP. For these cases the service provider metadata can be added to the staging feed. We prefer service providers to follow and release R&S and !CoCo. Steps to be included: * The SP operator is responsible for '''registering''' '''and''' '''maintaining''' the SP metadata. * Put your !md:EntityDescriptor file in the directory !https://github.com/clarin-eric/SPF-SPs-metadata/tree/master/metadata  * Create a pull request on its 'master' branch as described in: https://github.com/clarin-eric/SPF-SPs-metadata/blob/master/README.md. * Make sure the clarin-sp-metadata.xml file is still valid after your very last edit. To help you with this, after creating the pull request, the check_saml_metadata.sh script (!https://github.com/clarin-eric/SAML-metadata-checker) will run automatically on you pull request and the result will be visible in the pull overview.  * Only pull requests that pass this check will be considered. After this, the central office will review your SAML metadata and if no outstanding issues are found, merge add it to the CLARIN SPF pre-production metadata source file. * Once the pull request is accepted and passed quality checks, the SPF operator can include the SP in the staging feed by adding it to the centre registry * Either by assigning it to a center (preferred) * Or by using the Non SPF SP / staging metadata will not be pushed to eduGain or any of the national federations.