Versions Compared

Old Version 8

changes.mady.by.user Marco Malavolti

Saved on

compared with

New Version Current

changes.mady.by.user Marco Malavolti

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If this page does not answer to your questions or you need some more information about this service, please contact us on support@edugain.org.

Check Performed on the IdPs

The check executed by the service follows these steps:

  1. It retrieves the eduGAIN IdPs from eduGAIN Operator Team database via a JSON interface
  2. For each IdP that is was not manually disabled by the eduGAIN Operations Team, the check creates a SAML Authentication Request message to send to the location of the first "SingleSignOnService" URL with binding "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" in SAML metadata for that IdP.
    The SPs used for the check are "Test SP shib 2.4" (https://sp24-test.garr.it/shibboleth) from IDEM GARR AAI and the "AAI Viewer Interfederation Test" (https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth) from SWITCHaai. These SPs might change in the future if needed.
    The SAML authenticatin request is not signed. Therefore, authentication request for any eduGAIN SP could be created because the SP's private key is not needed.
  3. The SAML Authentication Request is sent and the IdP login page is retrieved by the check. It expects to find the HTML form with a username and password field. Therefore, no complete login will happen at the Identity Provider because the check stops at the login page.

Limitations

There are some situations where the check cannot work reliably. In those cases it is possible to disable the check for a particular IdP. The so far known cases where the check might generate a false negative are:

  • IdP does not support HTTP or HTTPS with at least SSLv3 or TLS1 or newer (these IdPs are insecure anyway)
  • IdP is part of a Hub & Spoke federation (some of them manually have to first approve eduGAIN SPs)
  • IdP does not use web-based login form (e.g. HTTP Basic Authentication or X.509 login)

Disable Checks

In cases where an IdP cannot be reliably checked, it might be necessary to disable the checks for an IdP.

On-line interface

The eduGAIN Connectivity Check web pages is available at: https://technical.edugain.org/eccs/

...

The eduGAIN Connectivity Check's administrator can disable checks for entities by changing the service database. This is useful because some Identity Providers use login methods that cannot easily/reliably be checked. Therefore such IdPs should be excluded from the checks.

JSON interface

The eduGAIN Connectivity Check service provides also a JSON feed on the monitoring results in: https://technical.edugain.org/eccs/services/json_api.php

...

Parameter name (JSON)Parameter description
f_order
  • displayName: order by DisplayName
  • entityID: order by entityID
  • registrationAuthority (only for "entities" action): order by registrationAuthority
  • ignoreEntity: order by ignoredEntity
  • lastCheck: order by last check
  • currentResult: order by last result
f_order_direction
  • ASC: ascending order
  • DESC: descending order
f_entityID
  • All: consider all entityIDs
  • A specific IdP's entityID value: consider only a specific one
f_registrationAuthority
  • All: consider all registrationAuthorities
  • A specific registrationAuthority value: consider only a specific one
f_displayName
  • All: consider all DisplayName
  • A specific IdP's DisplayName value: consider only a specific one
f_ignore_entity
  • True: for the entities that are ignored (by the service owner).
  • False: for the entities that are considered (by the service owner).
f_check_result (for only "checks" action)
  • All: consider all IdPs
  • OK: consider only IdP that have received an "OK" from the check script.
  • FORM-Invalid: consider only IdP that have received an "FORM-Invalid" from the check script
  • HTTP-Error: consider only IdP that have received an "HTTP-Error" from the check script
  • TCP/IP-Error: consider only IdP that have received an "TCP/IP-Error" from the check script
  • No-eduGAIN-Metadata: consider only IdP that don't consume correctly the eduGAIN metadata stream
f_current_result (for only "entities" action)
  • All: consider all IdPs
  • OK: consider only IdP that have received an "OK" from the check script.
  • FORM-Invalid: consider only IdP that have received an "FORM-Invalid" from the check script
  • HTTP-Error: consider only IdP that have received an "HTTP-Error" from the check script
  • TCP/IP-Error: consider only IdP that have received an "TCP/IP-Error" from the check script
  • No-eduGAIN-Metadata: consider only IdP that don't consume correctly the eduGAIN metadata stream
rpp
  • All: Show all entities
  • 20: Show 20 entities per page. (default value: 30)

...