Skip to content
This repository has been archived by the owner on Jul 11, 2018. It is now read-only.

Publish eduGAIN metadata

Jump to bottom
Remold edited this page Jul 31, 2015 · 1 revision

Introduction to eduGAIN

The GÉANT eduGAIN service is intended to enable the trustworthy exchange of information related to identity, authentication and authorisation between the GÉANT (GN3plus) Partners' federations. The eduGAIN service will deliver this by coordinating elements of the federations' technical infrastructure and by providing a policy framework controlling the exchange of this information.

The pictures below give an overview of eduGAIN membership in Europe and Globally, as per August 1, 2015. More information is available at: http://www.edugain.org/technical/status.php

So, what is eduGAIN and what is it not?

  • EduGAIN consists of a number of agreements and procedures, and has members who have signed these agreements;
  • EduGAIN is not a hub-and-spoke or a mesh federation. It only enables entities to find each other;
  • The eduGAIN service publishes the eduGAIN metadata file which is a collection of Service Provider (SP) and Identity Provider (IdP) metadata, verified by the member NREN’s;
  • The national federations are responsible for publishing the metadata of those IdPs and SPs in their federation that want to participate in eduGAIN;
  • Using the eduGAIN metadata, SPs can find and connect with IdPs and IdPs can find and connect with SPs.
  • eduGAIN does not offer a discovery service.

Publish eduGAIN metadata from OpenConext

OpenConext is able to publish eduGAIN formatted metadata of selected IdP's and SP's connected to OpenConext.

OpenConext will publish the eduGAIN formatted metadata here: https://engine.demo.openconext.org/authentication/proxy/edugain-metadata

This metadata can then be incorporated in the overall eduGAIN metadata file (http://mds.edugain.org/).

Preparing an SP entry

The following information is required in the OpenConext ServiceRegistry entry of the SP to publish the SP correctly in the eduGAIN metadata feed:

Connection

  • A valid EntityID/Connection ID which is provided in the SPs' metadata
    • Metadata URL (This URL must be accessible from the internet)
    • State: Production
    • Type: SAML 2.0 SP
  • Metadata
    • coin:publish_in_edugain : checked
    • coin:publish_in_edugain_date : The instant the metadata publication was created. Creation is loosely defined as the moment the metadata publication is ready for consumption by external processes. This may, for example, correspond to the time a document is signed. Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier. (ie: '2013-05-03T16:31:26Z' ) (See http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html element 'creationInstant' )

The SP's metadata is retrieved from the SP's metadata URL and complemented with the eduGAIN specific information stored in the OpenConext ServiceRegistry (i.e.: the coin:publish_in_edugain_date)

##Preparing an IdP entry The following information is required in the OpenConext ServiceRegistry entry of the IdP to publish the IdP correctly in the eduGAIN metadata feed:

Connection

  • A valid EntityID/Connection ID which is provided in the IdPs' metadata
    • State: Production
    • Type: SAML 2.0 IdP
  • Metadata
    • coin:publish_in_edugain: checked
    • coin:publish_in_edugain_date: The instant the metadata publication was created. Creation is loosely defined as the moment the metadata publication is ready for consumption by external processes. This may, for example, correspond to the time a document is signed. Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier. (ie: '2013-05-03T16:31:26Z' ) (See http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html element 'creationInstant' )
    • shibmd:scope:#:allowed : The scope of the IdP. It is recommended to specify this field. _The # is a place holder for 1,2,3,4 or 5. _ When a scope is provided in the IdPs' metadata this field must be added.
    • shibmd:scope:#:regexp : Defaults to 'false' when not provided. (See: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0)
    • OrganizationName:en : At least the English Organization Name must be provided, the NL name is optional.
    • OrganizationDisplayName:en : At least the English Organization Display Name must be provided, the NL name is optional.
    • OrganizationURL:en : At least the English Organization URL must be provided, the NL name is optional.

See for more information regarding the shibmd:scope: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0

Clone this wiki locally