You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Considerations for exposing a SAML SP to Federation and Interfederation.

Metadata

Load SAML metadata that also includes entities known via Interfederation agreements, such as eduGAIN:

eduID.at Metadata for Interfederation

https://eduid.at/md/aconet-interfed.xml

Access control

No assumptions should be made about the provenance or quality of identities from federated or interfederated IdPs. If your service should only be available to certain user groups (e.g. students, faculty or staff of academic institutions) be sure to enforce this via explicit access control configuration. That avoids any surprises with regard to account issuing practices at other institutions or IdPs.

IdP Discovery

Manually managing lists of IdPs does not scale well and may also not provide a proper user experience. Implement IdP discovery, i.e., allow subjects to choose their interfederated IdPs from all available ones, by using one of these available Free/Libre software projects:

Contact ACOnet for help with integrating one of these implementations into your website.

Fallback discovery services

If all else fails you can make use of one of the central "fallback" discovery interfaces provided by ACOnet.

SWITCHwayf

https://eduid.at/ds/wayf/interfed/

This instance of the SWITCHwayf software may be more familiar to subjects from ACOnet institutions since an older version had been in use at https://wayf.aco.net/ since 2007. This software still works (without its dynamic features) when JavaScript is disabled in the web browser (though not much else on the web will work in such a setup).

 

DiscoJuice

https://eduid.at/ds/juice/interfed/

The DiscoJuice software has a more unusual look and feel but also provides additional features such as grouping (and limiting) IdPs by country or sorting suggested IdPs based on their distance via geolocation of the web browser. This DiscoJuice instance does not currently work when JavaScript is disabled.

Account for missing attributes from the IdP

Consider handling any access errors due to missing attributes as gracefully as possible. That includes giving precise instructions to the subject on what failed, why and what to do about it. Using information from SAML metadata support or technical contact data for the IdP could be offered.

  • No labels