Considerations for exposing a SAML Service Provider to users and institutions registered with other Identity Federations via Interfederation arrangements (such as eduGAIN).
No assumptions should be made about the provenance or quality of identities from federated or interfederated IDPs based purely on successful authentication at a SAML IDP. If your service should only be available to certain user groups (e.g. students, faculty or staff at academic institutions) be sure to enforce this via explicit access control configuration based on attributes sent by the SAML IDP.
That avoids any surprises with regard to account issuing practices at other institutions or IDPs.
As always, use the provided Metadata Verification Key to make sure the metadata is authentic and hasn't been tampered with.
For the Shibboleth SP check out the complete configuration examples provided.
Manually managing lists of Identity Providers users my chose to log in from does not scale well and may also not provide a proper user experience. In most cases it's best to implement IDP discovery using additional software components which allow subjects to easily choose their interfederated IDPs from all available ones. You can see the following Free/Libre software projects in action at the eduID.at Demo SP:
In the future there may be other options, including https://seamlessaccess.org/
Contact ACOnet for help with integrating one of these implementations into your website.
Fallback discovery services
If all else fails you can make use of one of the central "fallback" discovery interfaces provided by ACOnet.
There are currently two central "fallback" IDP Discovery Service avalable within eduID.at which are Interfederation-enabled:
Prepare for missing attributes from IDPs
Consider handling any access errors due to missing attributes as gracefully as possible. That includes giving precise instructions to the subject on what failed, why and what to do about it. Using information from SAML metadata support or technical contact data for the IDP should be offered.
TODO: More technical information to come.
To make your Service Provider available to subjects from other interfederated institutions contact ACOnet in order for your entity to become visible to eduGAIN (and from there to other eduGAIN-participating federations and institutions).