Note: this page is in the process of being updated (Nov 2016)

A good starting point for information about the Service Provider Federation is the public page ​https://www.clarin.eu/content/service-provider-federation

This wiki page contains the nitty-gritty technical details.

CLARIN IdP

See InfrastructureOverview

Central Discovery Service

See InfrastructureOverview

Service Provider Federation

• for new SP admins: ​Full tutorial about setting up a shibboleth Service Provider

• for an overview about the metadata distribution in the SPF: Distribution Matrix: overview of manual SAML metadata updates

• Information about including logos in SAML metadata: ​recommendations and a related ​standardization discussion

• Login testing: Manual testing of logins.

• Recommendations on ​certificates: use self-signed ones for the SAML metadata and well-accepted ones for your webserver.

Changing the SAML metadata about SPF SPs

• Commit the changes to source:aai/clarin-sp-metadata.xml in the CLARIN SVN repository
• Make sure to check the XSD validity of the file! Be prepared to put 5 EUR in the CLARIN developers tipping box if you commit a non-valid file.
• Every hour a cron job automatically checks out the latest version at ​http://infra.clarin.eu/aai/clarin-sp-metadata.xml

How to add SAML metadata about the CLARIN IdP to your SP configuration

• See the ​tutorial

Information per Identity Federation

(original ​source no longer available))

Haka (Finland)

cn, sn, displayName, eduPersonPrincipalName, schacHomeOrganization, schacHomeOrganizationType

The major unique identifier: Currently, ePPN is the predominant unique ID.

The federation operator has published instructions on use of ePTID but hasn't strongly insisted its use.

Adding an SP: Haka?

DFN-AAI

attributes

sn, email, ePPN, ePSA, ePEntitlement, ePTID

What is the predominant unique identifier for end users?

• eduPersonPrincipalName (ePPN)
• eduPersonTargetedID(ePTID)/SAML2 PersistentID

Is there a policy for what should be used as the unique ID? No.

SURFconext

Mandatory attributes: No mandatory attributes

The major unique identifier: eduPersonPrincipalName (ePPN) - there is no formal policy for what should be used as the unique ID

UK federation

See section 7 of ​http://www.ukfederation.org.uk/library/uploads/Documents/technical-recommendations-for-participants.pdf for the recommended attributes in the UK.

Attributes in the SPF

The minimal set of required attributes:

• ​eduPersonPrincipalName or ​eduPersonTargetedID

The ideal set of attributes:

• ​eduPersonPrincipalName or ​eduPersonTargetedID

• ​cn (common name)
• ​mail
• ​o (organizationName) or ​schacHomeOrganization

Attribute release

• ​automatically produced, current overview
• ​older (outdated, manually maintained) overview

Attributes requested by SPF services

These should be listed in the SAML metadata about the SP - see recommendation 8 (attributeconsumingservice) of ​https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp