Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.


Please note that a list of all connected services will be made publicly available. This mean that your service can not be "hidden" or anything.

As a result, services are required to have a valid TLS configuration (including their SAML endpoints) using certificates from a trusted CA:

  • For production services that are operated by GEANT this must be a TCS certificate (Digicert at the moment).
  • For non-production services and services operated by 3rd parties, this can be any trusted CA, including LetsEncrypt.

Required information

 Please send the following information to aai-is@lists.geanthelp@geant.org:


Very .namewiki
InformationDescriptionExamplestored in/mapped to (internally)
Technical contact
  • authentication issues
  • security issues
  • privacy issues

Can be a list

support@it.geant.orgcontacts['technical']
Support contact

"Generic" support questions for the actual service

  • how does it work

Usually the application administrators or the teams that run it.

Can be a list.

support@it.geant.orgcontacts['support']
entityIDThe SAML entityID must be an HTTPS schema based. See https://github.com/REFEDS/MRPS/blob/v1/mrps.md#52-entityid-format and https://spaces.at.internet2.edu/display/InCFederation/Entity+IDs (which has recently moved to https://spaces.at.internet2.edu/display/federation/Entity+ID)
SAML Metadata

A URL to the XML metadata (preferred), or an XML metadata file. This file/URL should be valid SAML metadata containing at least the following elements:

  • "contacts"
    • one technical contact (for dealing with authentication/security/privacy issues)
    • one support contact (for generic application support questions)
  • "name" <= a very
Service name
  • short name to be shown in user interfaces
GÉANT Wiki
  • , for instance "GÉANT Intranet"
  • An X.509 certificate for signing requests
Service description

Longer descriptive text , for instance with details like:with at least:

  • The purpose of the service
  • Its intended audience
  • its Its status (production, testing, etc)
  • when it was set up
  • the software type/version it runs

Can contain URLs

Atlassian Confluence wiki, production instance.description
  • The date it went into production
  • The software it runs
Service URLThe actual URL to the main service, for instance https://intranet.geant.orgurlMetadataValid SAML2.0 metadata

a URL to the XML metadata (preferred), or an XML metadata file.

...

.

...





Supplied information


The SAML proxy will always provide the following attributes to its downstream services:

...

SAML attributeexample valueremarks
uidfederated-user-1234Unique user ID, always available.
mailuser@domainDefaults to the string 'invalid_email_needs_updating' if none was provided by the upstream IdP
displayNameRobert WagnerDefaults to the string 'first_name last_name' or similar if bit aren't provided by the upstream IdP
isMemberOf
  • GN_Services:GN Project Participants

  • GN4Phase3:WPs:WP9

  • GN4Phase1:SAs:GN4-1_SA3-T4

Multivalued attribute listing the CAMS group memberships.



Our endpoint

EntityID

https://login.terena.org/wayf/saml2/idp/metadata.php

Metadata URL

https://login.terena.org/wayf/saml2/idp/metadata.php
Metadata webpage, if your SP runs SimpleSAMLphphttps://login.terena.org/wayf/saml2/idp/metadata.php?output=xhtml


Service monitoring

At some stage there will be some monitoring set-up, to help ensure the service is conforming to basic requirements. The monitored items are expected to include:

...