Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: pros/cons of external SAMLDS

...

Note
iconfalse

Do not assume that anyone/anything that can authenticate at an institutional SAML IDP is necessarily a member in good standing of that institution.

That avoids any surprises with regard to account issuing practices at other institutions or IDPs.

Metadata

Load SAML Metadata that also (i..e, in addition to eduID.at member SPs) includes entities known via Interfederation agreements, such as eduGAIN:

Info
iconfalse
titleeduID.at Metadata for Interfederation

http://eduid.at/md/aconet-interfed.xml

As always, use the provided Metadata Verification Key to make sure the metadata is authentic and hasn't been tampered with.

For the Shibboleth SP check out the complete configuration examples provided.

Operational aspects

The interfederation-enabled SAML 2.0 Metadata document (see above) is much larger (1-2 orders of magnitude) than the one only containing entities covered by the eduID.at policies. So make sure the machine your SAML SP implementation runs on has sufficient memory (RAM) available.
xmldsig-signature validation on these large documents may also take significant CPU resources (relevant when updating metadata every few hours or every day), but adding more CPU cores to a machine will not typically speed up this process significantly as it cannot be parallelised.

The Shibboleth SP software in particular has an issue only affecting its first start, when no previously downloaded, validated and cached metadata is available locally. The Shibboleth wiki provides some ways of dealing with that (e.g. by adding a configuration snippet that disables systemd's process start timeout). Also manually starting shibd before (re-)restarting it via the service manager (systemd or otherwise) should take care of that issue.
Be sure to  follow our configuration examples, particularly with regards to the verifyBackup="false" setting on the Signature MetadataFilter.

IDP Discovery

In order to log in to a federated service the subject needs to be able to select the IDP they want to log in with/from. The most useful and obvious way to do this is by presenting the subject with a user interface to select/find their organisation by name.

Manually managing lists of of Identity Providers users my chose to may log in from does not scale well , is not sufficiently dynamic (IDPs' names and/or logos may change over time) and may also not provide a proper user experience. In most cases it's best to implement IDP discovery using additional software components which allow subjects to easily choose their interfederated IDPs from all available ones. You can see the following Free/Libre software projects in action at the eduID.at SAML Demo SP:

Contact ACOnet for help with integrating one of these implementations into your website.

Fallback discovery services

It will therefore be necessary to deploy or utilise some kind of IDP discovery service.
(The eduID.at Demo SP currently demonstrates use of 3 different IDP discovery interfaces. A real production service would of course not do this.)

External discovery services

You can always If all else fails you can make use of one of the central "fallback" discovery interfaces interface provided by ACOnet or Seamless Access. 

Note
iconfalse

Using the fallback an external discovery service is is not recommended as it sends users away from the service (which may be seen as disrupting the access process) and may confuse users due to different designs at the Service Provider, the central IDP Discovery Service and again at the Identity Provider.

There are currently two central "fallback" IDP Discovery Service avalable within eduID.at which are Interfederation-enabled:

Info
iconfalse
titleSWITCHwayf

https://eduid.at/ds/wayf/interfed/

This instance of the SWITCHwayf software may be more familiar to subjects from ACOnet institutions since an older version had been in use at https://wayf.aco.net/ since 2007. This software still works (without its dynamic features) when JavaScript is disabled in the web browser (though not much else on the web will work in such a setup).

 

Info
iconfalse
titleDiscoJuice

https://eduid.at/ds/juice/interfed/

On the plus side, external discovery services usually implement the relevant specifications and may have performed usability testing of their interfaces which may not be the case (or may be too much work when done properly) for home-grown/ad-hoc implementations.

See Discovery Services for more, including references to Seamless AccessThe DiscoJuice software has a more unusual look and feel but also provides additional features such as grouping (and limiting) IDPs by country or sorting suggested IDPs based on their distance from the web browser (via the HTML5 Geolocation API). This DiscoJuice instance does not currently work when JavaScript is disabled.

Prepare for missing attributes from IDPs

Consider handling any access errors due to missing attributes as gracefully as possible. That includes giving precise instructions to the subject on what failed, why and what to do about it. Using information from SAML metadata support or technical contact data for the IDP should be offered.TODO: More technical information to come, see this example from the eduGAIN Wiki for a demonstration.

Notify ACOnet

To make your Service Provider available to subjects from other interfederated institutions contact ACOnet in order for your entity to become visible to eduGAIN (and from there to other eduGAIN-participating federations and institutions).