From the login point of view there are two different user accounts:
- local account - Local account is created as described in “Create a new user” section. User can login with local account by following the “Log in” procedure and choosing “Log in with local account”. Each FaaS instance comes with one predefined local account with full privileges. This initial account should be used to get started and create other accounts. Local account is also necessary for users whose Identity providers are not part of your federation; hence they cannot use their federated account.
- federated account - If user has federated account and its Identity provider is a part of your local federation, then he can use its federated account to log in by choosing “Federated access” as described in “Log in” chapter.
You can link local account that is already created with federated account and enable user to use both login options equally, but access type for local account should be set to „local and federated“ and username of the user local account should be the same as ePPN (eduPersonPrincipalName) of the user federated account.
There are 3 different user roles:
- Administrator – User with administrator role have full privileges. Federation operator should have administrator role.
- Member – User with member role have just ready privileges on Federation, Service Provider and Identity Provider sections. SP/IdP owner should have member role. In order to be able to edit or manage its entities, Federation operator(user with administrator role) needs to add privileges to member user.
- Guest – User with guest role have read privileges on Federation section only. This user cannot see any IdPs or SPs. User that have logged in via federated access have guest role by default.
- On the application home page press "Log in" button at the top-right corner of the screen.
- Choose between login with your local account and login via federated access.
- For local login type your username and password and press “Sign in” button.
- For federated access press “Sign in” button and you will be redirected to your Identity provider for authentication.
Create a new user
As a Federation operator do the following:
- Navigate to the top menu “Administration/Users” and press “Add user” button.
- As username enter the eduPersonPrincipleName of that user (username@domain).
- Enter user real email address so he can keep track of the email notifications from the application.
- Choose the access type between “only local authentication”, “only federated access” and “local and federated”.
- Choose the strong password. This can be changed later on by the user.
- Enter user’s First and Last name.
- Press "Register user" button.
Edit user account
Federation operator has full privileges; hence he can change passwords, user roles and add user notifications for all registered users. To do so, navigate to the top menu “Administration/Users” as a Federation operator and choose the user you want to edit from the list of all registered users by clicking on that user’s username.
- Change user password
- Click on blue pen icon.
- Type a new password and confirm your choice.
- Press “Update” button.
- Change user roles
- Click on blue pen icon.
- Choose between “Guest”, “Member” and “Administrator” roles by checking appropriate check-box.
- Press “Update” button.
- Add user notification
- Click on the “My notification” in the “Notification” column and then press “Add” button to add a new notification.
- Choose the notification trigger from the “When to notify me” drop down list.
- Press “Add” button
As an IdP/SP owner or a user with guest role you can edit your own account (change your password, email, first name and last name), but you cannot change your roles and access type. To change your password, navigate to “My Profile” menu and follow the “Change user password” procedure. To add email notification to your account, navigate to “My notifications” and follow the “Add notification to user” procedure from the step 2.
Only Federation operator can delete a user from the system, so in order to delete a user do the following as a Federation operator:
- Navigate to the top menu “Administration/Users”.
- Click on the trash can icon in the “Action” column for the user you want to delete.
- To confirm your choice, type username of the user you want to delete and press “Remove user” button.
Note: You cannot remove user account with Administrator role, so in order to remove such a user you need to change its role first.
Identity Provider/Service Provider
Identity Provider/Service Provider registration
As an Identity Provider/Service Provider owner do the following:
- Navigate to top menu “Register/Identity Provider” or “Register/Service Provider”.
- Paste the XML metadata of the entity in the “Metadata” text box and press "Next" button. This will parse metadata file and populate some information in the appropriate fields.
- Revise the already existing data. Minimal data that the registry application is requesting to have for any Identity Provider/Service Provider consists of:
- URL to information about organization for at least one language.
- Displayname of organization for at least one language.
- Name of organization for at least one language.
- EntityID of the Identity Provider/Service Provider.
- One IDPSSODescriptor/SingleSignOn Service URL or/and AttributeAuthorityDescriptor/AttributeService URL or in case of Service Provider registration, Assertion Consumer Service URL.
- Identity Provider/Service Provider certificate.
Additional data can be added at this point or later by editing a registered entity. In order to be able to edit registered entity, Federation operator needs to add the privileges to the owner of the entity to edit and manage the registered entity as described in “User rights management” section.
- Press “Register” button.
Note: The request for the registration of the new entity will be sent for approval. Only the Federation operator can approve it.
Identity Provider/Service Provider management
As an Identity Provider/Service Provider owner, navigate to the top menu “Identity Provider”/"Service Provider", click on registered entity and go to the “Management” tab. Here you can switch between enable/disable and unlocked/locked status, remove the entity, set the user rights and add registration policies for the entity.
Note: In order to be able to manage your Identity Provider as an Identity Provider owner, Federation operator needs to add privileges to Identity Provider owner by following steps for User rights management.
- Disable Identity Provider/Service Provider - Disabled entity is not included in the federation metadata streams.
- Lock Identity Provider/Service Provider - Entity is not editable while is locked.
- Remove Identity Provider/Service Provider - In order to be removed, Identity Provider/Service Provider must be disabled first. To remove your entity follow the steps as described below:
- Click on the appropriate blue arrow in the “Manage status” row.
- Enter entityID of the Identity Provider/Service Provider.
- Press “Remove provider from the system” button.
- User rights management - You can manage who can see, edit or manage your entity. In order to add or remove privileges for particular user follow the next steps:
- Click on the “Display access” blue arrow.
- “deny” or “allow” some of the read/write/manage privileges to the particular user.
- Registration policy management - To add a registration policy to your entity follow the next steps:
- Click on the “edit” button in the “Registration Policies” row.
- Select the pre-defined registration policy.
Note: Registration Policy will not be added to the metadata until it is approved by the Federation Operator.
Joining the federation
Federation membership is managed in the Identity Provider/Service Provider “Membership” tab. As an entity owner go through the following steps in order to join your entity to the federation:
- Navigate to top menu “Identity Providers”/“Service Providers”.
- Choose the entity that you want to join to the federation.
- Click on the button “Manage membership (joining)” in the “Membership” tab.
- Pick the federation you want to join from the drop-down list and fill in the “Message” that will be presented to the Federation operator who has to approve the registration.
- Press “Apply” button.
Each FaaS instance comes with two already registered federations:
- Your NREN federation - Should include all entities that joined your local federation
- eduGAIN federation - Should include all entities from your local federation that chose to be members of eduGAIN
As Federation operator you can view federation data by choosing one of the federations in the "Federations" top menu.
- General information - Information used only for the display purposes in the registry application is presented in the "General" tab.
- Federation members - List of the federation members is presented in the “Membership” tab.
- Federation metadata - URL to federation SAML metadata file is presented in the “Metadata” tab.