You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Considerations for SAML Identity Providers for use with services registered with other Identity Federations via Interfederation arrangements (such as eduGAIN).

Metadata

IDPs in eduID.at can always load SAML Metadata that also includes entities known via Interfederation agreements, such as eduGAIN. Only SPs will be relevant to an IDP and communication with SPs will be managed via attribute release policies (see below), not metadata exclusion.

eduID.at Metadata for Interfederation

http://eduid.at/md/aconet-interfed.xml

As always, use the provided Metadata Verification Key to make sure the metadata is authentic and hasn't been tempered with.

Make attributes available

Adjust the IDP configuration to lookup and/or generate potentially missing attributes. All eduID.at-registered IDPs should be able to produce the following attributes:

  • Name attributes
    • displayName
    • givenName
    • sn
  • Identifiers
    • eduPersonTargetedId (a.k.a. SAML2 persistent NameID)
    • eduPersonPrincipalName
    • mail
  • Authorization
    • eduPersonScopedAffiliation
    • eduPersonEntitlement
  • Organizational data
    • schacHomeOrganization
    • schacHomeOrganizationType

Attribute release

Adjust the IDP configuration to scalably release selected attributes to appropriate SPs.

The currently best option we have for this are Entity Categories which allow to group Service Providers by common criteria and release certain attributes to whole categories of SPs. This is a risk-based approach, enabling low-risk transactions with high benefit.

TODO: Detailed technical information to follow!

Notify ACOnet

To make your Identity Provider usable with Services from other interfederated institutions contact ACOnet in order for your entity to become visible to eduGAIN (and from there to other eduGAIN-participating federations).

  • No labels