Version 38 (modified by 7 years ago) (diff) | ,
---|
Table of Contents
Note: this page is in the process of being updated (Nov 2016)
A good starting point for information about the Service Provider Federation is the public page https://www.clarin.eu/content/service-provider-federation
This wiki page contains the nitty-gritty technical details.
CLARIN IdP
Central Discovery Service
Service Provider Federation
- for new SP admins: Full tutorial about setting up a shibboleth Service Provider
- for an overview about the metadata distribution in the SPF: Distribution Matrix: overview of manual SAML metadata updates
- Information about including logos in SAML metadata: recommendations and a related standardization discussion
- Login testing: Manual testing of logins.
- Recommendations on certificates: use self-signed ones for the SAML metadata and well-accepted ones for your webserver.
Changing the SAML metadata about SPF SPs
- Commit the changes to source:aai/clarin-sp-metadata.xml in the CLARIN SVN repository
- Make sure to check the XSD validity of the file! Be prepared to put 5 EUR in the CLARIN developers tipping box if you commit a non-valid file.
- Every hour a cron job automatically checks out the latest version at http://infra.clarin.eu/aai/clarin-sp-metadata.xml
How to add SAML metadata about the CLARIN IdP to your SP configuration
- See the tutorial
Information per Identity Federation
(original source no longer available))
Haka (Finland)
cn, sn, displayName, eduPersonPrincipalName, schacHomeOrganization, schacHomeOrganizationType
The major unique identifier: Currently, ePPN is the predominant unique ID.
The federation operator has published instructions on use of ePTID but hasn't strongly insisted its use.
Adding an SP: Haka?
DFN-AAI
attributes
sn, email, ePPN, ePSA, ePEntitlement, ePTID
What is the predominant unique identifier for end users?
- eduPersonPrincipalName (ePPN)
- eduPersonTargetedID(ePTID)/SAML2 PersistentID
Is there a policy for what should be used as the unique ID? No.
SURFconext
Mandatory attributes: No mandatory attributes
The major unique identifier: eduPersonPrincipalName (ePPN) - there is no formal policy for what should be used as the unique ID
UK federation
See section 7 of http://www.ukfederation.org.uk/library/uploads/Documents/technical-recommendations-for-participants.pdf for the recommended attributes in the UK.
Attributes in the SPF
The minimal set of required attributes:
The ideal set of attributes:
- cn (common name)
- o (organizationName) or schacHomeOrganization
Attribute release
Attributes requested by SPF services
These should be listed in the SAML metadata about the SP - see recommendation 8 (attributeconsumingservice) of https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp