| Version 47 (modified by , 7 years ago) (diff) |
|---|
Table of Contents
- CLARIN IdP
- Central Discovery Service
- Service Provider Federation
Note: this page is in the process of being updated (Oct 2017)
A good starting point for information about the Service Provider Federation is the public page https://www.clarin.eu/content/service-provider-federation
This wiki page contains the nitty-gritty technical details.
CLARIN IdP
Central Discovery Service
Service Provider Federation
- for new SP admins: Full tutorial about setting up a shibboleth Service Provider
- for an overview about the metadata distribution in the SPF: Distribution Matrix: overview of manual SAML metadata updates
- Information about including logos in SAML metadata: recommendations and a related standardization discussion
- Login testing: Manual testing of logins.
- Recommendations on certificates: use self-signed ones for the SAML metadata and well-accepted ones for your webserver.
Changing the SAML metadata about SPF SPs
- Fork the CLARIN SPs metadata repository on github
- Commit the changes to the clarin-sp-metadata.xml metadata file in your fork.
- Create a pull request from your modified fork to the 'master' branch of the original repository.
- After the pull request is created, Travis CI will automatically run the SAML metadata checker to check the XSD validity of the file. You can monitor the check progress and result in the pull request page as in this example. Wait for the check to finish and make sure you get a green check-mark in the end. If instead you see a red 'X' mark, please fix your commit based on TravisCI output information and update the pull request. To see the test output, click on the result icon ('V' or 'X') which takes you to the TravisCI interface.
- When your pull request successfully passes XSD validation, a CLARIN SPF operator will merge it into the 'master' branch of original repository for QA assessment. Note: the SPF operators will only consider for merging pull requests which are XSD valid. If you cannot make you file successfully pass the XSD validation or you believe you are hitting a false positive. Please create a github issue explaining the problem.
- Every hour a cron job automatically analyzes the latest 'master' version and generates a QA report visible in this spreadsheet.
Check this spreadsheet for relevant entries respecting your SP and fix any outstanding issues following the CLARIN SP SAML metadata guidelines.
During this stage your new metadata is already scheduled to be merged into the 'production' branch and consequent propagation to the various identity federations. However, before this happens and depending on the QA results for your SP, you might be contacted by an SPF operator to fix or improve your metadata before propagation. - Finally your metadata will be merged into the 'production' branch and picked up by an hourly cron job which automatically checks out the latest version and publishes it at http://infra.clarin.eu/aai/prod_clarin_sp_metadata.xml
How to add SAML metadata about the CLARIN IdP to your SP configuration
- See the tutorial
Information per Identity Federation
(original source no longer available))
Haka (Finland)
cn, sn, displayName, eduPersonPrincipalName, schacHomeOrganization, schacHomeOrganizationType
The major unique identifier: Currently, ePPN is the predominant unique ID.
The federation operator has published instructions on use of ePTID but hasn't strongly insisted its use.
DFN-AAI
attributes
sn, email, ePPN, ePSA, ePEntitlement, ePTID
What is the predominant unique identifier for end users?
- eduPersonPrincipalName (ePPN)
- eduPersonTargetedID(ePTID)/SAML2 PersistentID
Is there a policy for what should be used as the unique ID? No.
SURFconext
Mandatory attributes: No mandatory attributes
The major unique identifier: eduPersonPrincipalName (ePPN) - there is no formal policy for what should be used as the unique ID
UK federation
See section 7 of http://www.ukfederation.org.uk/library/uploads/Documents/technical-recommendations-for-participants.pdf for the recommended attributes in the UK.
Requesting changes to the IdP blacklist
- See SPF blacklist information page.
Attributes in the SPF
The minimal set of required attributes:
The ideal set of attributes:
- cn (common name)
- o (organizationName) or schacHomeOrganization
Attribute release
Attributes requested by SPF services
These should be listed in the SAML metadata about the SP - see recommendation 8 (attributeconsumingservice) of https://www.clarin.eu/content/guidelines-saml-metadata-about-your-sp
