Once you have read this page and followed the instructions, you will have deployed a SAML2.0 compliant Service Provider and published it in eduGAIN. This means that a few million higher education users (students, university staff and faculty, researchers) will be able to able to access to your services using their home institutions account, depending on the access control rules you have defined.
Before attempting to follow the steps below, which explain how to deploy and register a SAML Service Provider with eduGAIN from scratch, it is recommended to first get familiar with some key concepts of federated identity management, the basis of eduGAIN and all SAML identity federations. A comprehensive overview of material that you might want to have a look at is available at the AARC Federations 101 page.
If you want to see and try federated login in action, have a look at SWITCH’s AAI Demo.
Before you Begin
General eduGAIN information
- Enables trustworthy exchange of identity information between federations without many bilateral agreements
- Reduces the costs of developing and operating services
- Improves the security and end-user experience of services
- Enables service providers to greatly expand their user base
- Enables identity providers to increase the number of services available to their users
The publication in eduGAINan eduGAIN member federation, for a Service Provider, allows reaching a large audience of higher education users ( students, researchers , and staff of worldwide higher education institutions) without institutions without the technical and administrative difficulties inconveniences of maintaining and protecting repositories of user credentials. This is because authentication is always handled directly at and by the user’s home Identity Provider, while the Service Provider only has to deal with user Authorization. In Identity and Access Management, authentication is the process of confirming a user’s identity, usually by verifying the knowledge of a set of credentials (username, password). Authorization is the process of determining the access rights an authenticated user is eligible for. In eduGAIN terms, this would mean that a user accesses the Service Provider with an assertion of his identity and the Service Provider trusts that assertion because it comes from a trusted relying party, but it is always the Service Provider that decides to which parts of the service this authenticated user should have access.
Enabling a service for eduGAIN login is accomplished by joining an existing eduGAIN member federation and registering a Service Provider with this federation. The member federation then, following its own procedures, exposes the Service Provider to the rest of the eduGAIN federations and their entities.
Which (eduGAIN) federation to join
Joining eduGAIN means joining an eduGAIN member federation. But which one to join? There is no strict rule which federation to join. But one reasonable option should be to contact the national federation of the country where the Service Provider’s organisation is located or where the service is geographically operated (i.e. where its operators are located). This offers multiple benefits, such as ease of collaboration and access to documentation because of common shared native language, shared groups of interested prospective users, etc.
In both cases, metadata only contains technical information. You should enrich metadata with the non-technical information (e.g. technical contact, name, description) following this example.
Find below a few useful links for successfully operating and using a Service Provider.
Operation best practices
This section consists of a list of guides compiled by federations participating in eduGAIN that would prove useful in operating your Service Provider.
- Shibboleth SP Access Control Rules:
Examples of how to create access control rules with Apache and Shibboleth
- Best Current Practices for operating a Service Provider:
This was written specifically for the SWITCHaai federation but most recommendations are generic
This section consists of a list of guides compiled by federations participating in eduGAIN that would assist with the maintenance of your Service Provider after it is put in production.
- Shibboleth SP Certificate Rollover Guide:
Explains how to renew a SAML certificate for an SP without service interruptions due to a metadata propagation delay