For a Shibboleth Identity Provider to join one of the Tuakiri Federations (Test/Dev or Pilot/Production), the following steps have to be done:
- Registering the IdP in the Federation Registry
- Configuring the IdP to load the federation metadata
- Configuring the IdP to release the attributes required by the federation.
There will be two federations available:
- Tuakiri TEST/Dev (operational as of March 4, 2011)
- Tuakiri Prod/Pilot (to be live by April 15, 2011)
Federation Details
Federation name |
Tuakiri |
Tuakiri TEST |
---|---|---|
Metadata name |
|
|
Metadata distribution point |
https://directory.tuakiri.ac.nz/metadata/metadata-tuakiri.signed.xml |
https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml |
Metadata signing certificate |
https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem |
https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem |
Federation Registry URL |
||
Discovery Service / WAYF URL |
Registering an IdP into the Federation Registry
Go to the respecting Federation Registry URL and:
- Register an Organisation for your institution (if not already registered)
- Wait for the Organisation to be approved
- Register your IdP under that Organisation
- Provide the Contact Details for the IdP admin
- Select the organisation and provide a name and description for your IdP
- Enter the base URL for your IdP (
https://idp.example.org
) - Enter the PEM encoded certificate used by your IdP for signing Shibboleth assertions
- Select the attributes the IdP will be able to release to the federation
- Select supported NameID formats. By default,
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
is already selected. If supporting SAML1, select alsourn:mace:shibboleth:1.0:nameIdentifier
. - Submit the details and wait for your IdP to be approved.
Configuring your IdP to load the federation metadata:
The code snippets in this section have values for Tuakiri TEST/DEV federation. Please update them accordingly as per the table above - which boils down to removing the "test" component from the file names / URLs in all of the cases.
- Download the metadata signing certificate into
$IDP_HOME/credentials
:wget http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O /usr/local/shibboleth-idp/credentials/tuakiri-test-metadata-cert.pem
- In
$IDP_HOME/conf/relying-party.xml
- Add the following snippet into the
ChainingMetadataProvider
:<!-- Tuakiri Test --> <MetadataProvider id="Tuakiri-TEST" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml" backingFile="/usr/local/shibboleth-idp/metadata/tuakiri-test-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata"> <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> </MetadataFilter> </MetadataProvider>
- And add the following snippet into the
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
element:<security:Credential id="Tuakiri-Test-FederationCredentials-" xsi:type="security:X509Filesystem"> <security:Certificate>/usr/local/shibboleth-idp/credentials/tuakiri-test-metadata-cert.pem</security:Certificate> </security:Credential>
- Add the following snippet into the
- Configure attribute release/filtering through the federation instead of explicit configuration:
- Comment out the explicit policy for
https://registry.test.tuakiri.ac.nz/shibboleth
in$IDP_HOME/conf/attribute-filter.xml
- Add the following entry into
<Service id="shibboleth.AttributeFilterEngine"
in$IDP_HOME/conf/service.xml
(note that the URL varies for each IdP and can be obtanined from the Federation Registry):<ConfigurationResource xsi:type="resource:FileBackedHttpResource" url="https://registry.test.tuakiri.ac.nz/federationregistry/attributefilter/generate/3" file="/usr/local/shibboleth-idp/conf/tuakiri-test-attribute-filter.xml" />
- Comment out the explicit policy for
Now your IdP should be able to access service provides within the Tuakiri (Test/Dev) federation.