Since late 2010 TERENA runs a SimpleSAMLphp instance that acts as a service provider proxy (SPP). This allows multiple applications in the TERENA administrative domain to benefit from a single Identity Provider (IdP). Our goal is to connect as much of our services to this proxy.
The SP proxy has connections with lots of different Identity Providers (IdPs), including many guest providers:
At the moment these federated applications and services can be used through the SPP:
- FileSender - send files up to 100GB
- TNC2014 - TERENA Networking Conference 2014, which was held in Dublin
- TNC15 - The Networking Conference 2015, which will be held in Porto
- TNC16 - The Networking Conference 2016, to be held in Prague
- TACAR - TERENA Academic Certification Authority Repository
- The REFEDS wiki
- wiki.geant.org - GÉANT wiki
- EventR - Event Registration
- Compendium - TERENA NREN Compendium
- The AARC web site
- The GÉANT e-mail list manager (Sympa)
- The REFEDS web site
- The GÉANT Tools portal
Depending on the nature of a service, not all IdPs might be available for it.
If you would like to get your IdP listed, we are happy to exchange metadata with you.
Your IdP should release at least eduPersonTargetedID (urn:oid:188.8.131.52.4.1.59184.108.40.206.10) or eduPersonPrincipalName (urn:oid:220.127.116.11.4.1.5918.104.22.168.6) to us (both is also fine).
Other attributes, such as mail, givenName, sn and o are not strictly required, however without them services are crippled.
For instance without e-mail you won't be able to receive mail from FileSender or the wiki, and without givenName/sn you will appear as "First_name last_name".
So releasing them will greatly improve the user experience. We therefore recommend that you also release them.
To get going, send an e-mail to email@example.com and include the following information:
2. Medata URL
URL to the authoritative XML metadata for your IdP. This usually is a URL on your IdP. Depending on the software you are using this might be:
- https://your.idp.com/simplesaml/saml2/idp/metadata.php (SimpleSAMLphp)
- https://your.idp.com/idp/shibboleth (Shibboleth)
If your IdP is part of a federation, then it would make sense if you sent us the URL to a signed federation metadata batch. We can then cherry pick the appropriate entityIDs from that. Please make sure that the metadata contains enough information for your IdP to be useful, so at the bare minimum these attributes:
OrganizationDisplayName(in English as well as your local language)
contactType, and a working
Please refer to http://simplesamlphp.org/docs/1.8/simplesamlphp-reference-idp-remote#section_1 for information about these attributes.
Our SP Proxy is configured to refresh metadata every 15 minutes.
3. Signing certificate
A URL or attached certificate is fine. This implies that the metadata is signed (which is the default configuration on IdPs, and always true for federations).
Metadata signing certificate
If your IdP runs SimpleSAMLphp
You can copy the PHP metadata from the bottom of https://login.terena.org/wayf/module.php/saml/sp/metadata.php/default-sp?output=xhtml, and paste it into your metadata/saml20-sp-remote.php.
If your IdP runs Shibboleth
- Make sure your IdP has access to a copy of our metadata. We recommend you use the "File Backed HTTP Metadata Provider" as listed on the Shibboleth wiki in your
- Provided you already have the necessary attributes in your
attribute-resolver.xmlyou only need to create the filter rules to actually release the data. The following example releases eduPersonPrincipalName, email:
For any matter related to TERENA's federated identity management, please contact <firstname.lastname@example.org>.