In eduGAIN architecture, a central component called the Metadata Distribution Service (MDS) aggreggates the SAML metadata files from the participating federations. It then publishes the agreggated metadata to be consumed by each of the participating federations. Each federation is then responsible for publishing its own version of the eduGAIN metadata file, signed with a certificate of its own.

Therefore, as a Service Provider administrator, you should get the following informations from your national federation:

  • the URL of the eduGAIN metadata file,
  • the X.509 certificate used to check the eduGAIN metadata integrity.

Local federation metadata

If your Service Provider is also registered in the national federation, you should make sure you configured your Service Provider software to download both the federation and eduGAIN metadata files. Since some Identy Providers might get included in both metadata files, the order you configure metadata download can be important. As suggested in the sample configuration below, we suggest you configure the  federation metadata download first.

Note that the federation metadata file and the eduGAIN metadata file might get signed with the same X.509 certificate. If not, your Service Provider software should be configured to validate metadata files with different certificates.

Sample configurations

The configuration for your SP will vary if you use a different software, if you registered in a different federation, if your federation operator uses a different kind of certificate. You should refer to the eduGAIN deployment documentations provided by your national federation operators.

Here we provide an example for a Shibboleth 2.x SP.

1 - download the X.509 certificate used to validate metadata integrity

cd /etc/shibboleth/
wget https://federation.renater.fr/edugain/metadata-federation-renater.crt

2 - check the certificate fingerprint

openssl x509 -fingerprint -sha1 -in metadata-federation-renater.crt -noout
SHA1 Fingerprint=CD:14:DE:02:64:31:53:B6:3B:4E:EB:48:42:E0:66:EC:69:33:68:98

3 - configure eduGAIN metadata loading, after the section for federation metadata. Here idps-edugain-metadata.xml metadata file from RENATER only includes Identity Providers from eduGAIN.

    <!-- RENATER federation metadata -->
<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-metadata.xml"
          backingFilePath="renater-metadata.xml" reloadInterval="1800">
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
  <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
 
   <!-- eduGAIN metadata -->
<MetadataProvider type="XML" uri="https://federation.renater.fr/edugain/idps-edugain-metadata.xml"
          backingFilePath="idps-edugain-metadata.xml" reloadInterval="1800">
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
  <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
  




  • No labels