For a Shibboleth Identity Provider to join one of the Tuakiri Federations (Test/Dev or Production), the following steps have to be done:

There are two federations available, both fully operational:

We recommend first registering a Test system into Tuakiri-TEST and after successful testing, register a production-ready system into Tuakiri Production.

Federation Details

Federation name

Tuakiri Production

Tuakiri TEST

Metadata name

tuakiri.ac.nz

test.tuakiri.ac.nz

Metadata distribution point

https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml

https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml

Metadata signing certificate

https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem

https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem

Federation Registry URL

https://registry.tuakiri.ac.nz/federationregistry/

https://registry.test.tuakiri.ac.nz/federationregistry/

Discovery Service / WAYF URL

https://directory.tuakiri.ac.nz/ds/DS

https://directory.test.tuakiri.ac.nz/ds/DS

Registering an IdP into the Federation Registry

Go to the respecting Federation Registry URL and:

ECP support

If supporting ECP, advertise also your ECP SSO EndPoint: in the Federation Registry registrtion for your IdP:

The IdP also needs to be configured to support ECP

Configuring your IdP to load the federation metadata:

The code snippets in this section have values for Tuakiri Production federation. Please update them accordingly as per the table above if configuring your IdP to join the Tuakiri TEST/DEV federation. (The key code snippets are for convenience given in Appendix B - Tuakiri-TEST Federation below.

NOTE: Check what your IdP home directory is: the directory is typically called shibboleth-idp - and on Debian and Ubuntu systems, it's commonly /usr/local/shibboleth-idp, while on RedHat and CentOS it's /opt/shibboleth-idp. The snippets below are referring to the IdP home directory as $IDP_HOME

Configure attribute release/filtering through the federation:

Now your IdP should be able to access service provides within the Tuakiri (Test/Dev) federation.

Appendix A - Alternative implementation

Loading the metadata and the attribute filter files from a remote URL makes the IdP depend on the accessibility of the remote URL. While for metadata itself, the IdP software should be sufficiently resilient, for attribute filter configuration, this is not the case. Tuakiri will be running their servers serving these XML files according to the best practices. However, some sites may prefer not to take on the risk and put the XML file loading outside of the IdP, into a separate process. This section describes this alternative implementation.

This implementation is based on using an external script (fetch-xml.sh). This script loads the XML file (over an HTTPS connection), checks the XML document for well-formedness, optionally verifies the signature on the downloaded XML document - and if all tests are passed, replaces the original file with a single "mv". The IdP would then detect a change and reload the file.

The script takes three arguments: the remote URL, the local file name, and an email address to send any errors to (no email sent if everything goes well).

An extra optional step (documented below) is to install XmlSecTool for verifying the signature. Otherwise, downloading the file over HTTPS and checking the XML structure provides also reasonable guarantees. If using XmlSecTool, the script takes a fourth argument, the certificate to check the signature with. And in this case, XmlSecTool must be found either in the PATH or in the XMLSECTOOL environment variable.

To deploy this solution without XmlSecTool:

Optional: Installing XmlSecTool

Appendix B - Tuakiri-TEST Federation

This section gives the variants of the commands to be used when configuring the IdP to join the Tuakiri-TEST Federation (instead of Tuakiri Production).