Versions Compared

Old Version 10

changes.mady.by.user Maja Górecka-Wolniewicz

Saved on

compared with

New Version 11

changes.mady.by.user Maja Górecka-Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Follow the instructions provided by pyFF Documentation to install pyFF software.
  2. Create the needed directories:
    cd /opt/pyff ; mkdir output ; mkdir certs ; mkdir scripts
  3. Create the certificate and the key needed to sign the output metadata:
    - Generate Metadata Signer Key: openssl genrsa -out /opt/pyff/certs/sign.key 2048
    - Generate Metadata Signer Certificate: openssl req -key /opt/pyff/certs/sign.key -new -x509 -days 3650 -out /opt/pyff/certs/sign.crt
  4. Download and Check the eduGAIN Signer certificate (see https://technical.edugain.org/metadata):
    wget https://technical.edugain.org/mds-v2.cer -O /opt/pyff/certs/eduGAIN-signer-ca.pem
  5. Check the signature of the eduGAIN signer certificate:
    openssl x509 -fingerprint -in /opt/pyff/certs/eduGAIN-signer-ca.pem
    The SHA256 Fingerprint should be
    BD:21:40:48:9A:9B:D7:40:44:DD:68:05:34:F7:78:88:A9:C1:3B:0A:C1:7C:4F:3A:03:6E:0F:EC:6D:89:99:95
  6. Create the interfederation configuration file(/opt/pyff/interfederation.fd) by adapting this content to your needs:

...

Code Block
linenumberstrue
### Load eduGAIN Metadata ###
- load:
   # Load from the eduGAIN Metadata URL
   - httphttps://mds.edugain.org/feededugain-sha256v2.xml as edugain-md certs/eduGAIN-signer-ca.pem
   # LoadIf fromyour afederation specificfeed directoryhas containsentities thethat eduGAINare Metadata
not published on #- /opt/pyff/metadata as edugain-md certs/eduGAIN-signer-ca.pem
 
### Replace the value of '###YOUR-REG-AUTH###' with your registrationAuthority to exclude the entities of your federation. ###eduGAIN
   # load your federation feed as well - uncomment the line below
   #- ###YOUR-FEDERATION-FEED-URL### as myfederation-md ###PATH-TO-YOUR-FEDERATION-SIGNING-CERT###

- select:
   - "edugain-md!//md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority and not(md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority='###YOUR-REG-AUTH###')]"
 
### Remove comments# andIf replace 'entityID_X' with the entityID of the eduGAIN your federation feed has entities that youare wantnot excludepublished from your interfederation metadata. ###
#- fork merge remove:
#   - select:
#      - entityID_1
#      - entityID_2
 
### Fork to produceon eduGAIN
   # uncomment the line below
   #- myfederation-md


### Produce the Interfederation Identity Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- fork:
   - select:
      - "edugain-md!//md:EntityDescriptor[md:IDPSSODescriptor]"
   - xslt:
      stylesheet: tidy.xsl
   - finalize:
      Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
      ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
      cacheDuration: PT5H
      validUntil: P5D
   - sign:
      key: certs/sign.key
      cert: certs/sign.crt
   - publish:
      - output/my-interfederation-idp-metadata.xml

# The rest of pipe could be removed if you do not plan to publish interfederation feeds which contain
# only SPs (for consuming by IdPs) and only IdPs (for consuming by IdPs)
# Feeds dedicated for IdPs and SPs are a good way to avoid a large feed problem which e.g. requires
# increasing memory_limit for php when simpleSAMLPHP is used
### Fork to produce the Interfederation ServiceIdentity Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- fork:
   - select:
      - "edugain-md!//md:EntityDescriptor[md:SPSSODescriptorIDPSSODescriptor]"
   - xslt:
      stylesheet: tidy.xsl
   - finalize:
      Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
      ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
      cacheDuration: PT5H
      validUntil: P5D
   - sign:
        key: certs/sign.key
      cert: certs/sign.crt
   - publish:
      - output/my-interfederation-spidp-metadata.xml
 
### Fork Produceto produce the Interfederation Service Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- fork:
   - select:
      - "edugain-md!//md:EntityDescriptor[md:SPSSODescriptor]"
   - xslt:
      stylesheet: tidy.xsl
   - finalize:
      Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
      ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
      cacheDuration: PT5H
      validUntil: P5D
   - sign:
      key: certs/sign.key
      cert: certs/sign.crt
   - publish:
      - output/my-interfederation-sp-metadata.xml


Create run script

...