...
Or dependent on which model your federation follows, into your national IdP's metadata. The following metadata needs to be imported:
2. Provide your own federation metadata or metadata set to portal operations
...
- eduPersonPrincipalName. This eduPersonPrincipalName needs to contain a globally unique persistent tag. Typically examples are '1234567@uvt.nl' or 'frits@uninett.no'. This is not a mail address. The '@university.country' takes care of global uniqueness; the text in the first part might be a username or an administration number. Persistence means that once a particular principalName has ever been used for a person, it must not ever be used for another person. If you can not fulfill that requirement in your federation (for instance due to the way you construct your NetID), you may tell portal-operations to bootstrap your federation with another attribute for the unique identifier, such as eduPersonTargetedID. You must communicate that in the beginning, at least before any certificates have been issued to members of your constituency, because otherwise the namespace will be in flux, which is unacceptable.
- eduPersonEntitlement, containing urn:mace:terena.org:tcs:escience-user and/or urn:mace:terena.org:tcs:personal-user. Note: this value must only be set for users that are guaranteed to have a passport-verified identity! People need not be re-authenticated using passport if that was done earlier. Test identities are strictly forbidden, as are pseudonyms.
- Additionally, for the NREN and Subscriber admins, the values urn:mace:terena.org:tcs:escience-admin/urn:mace:terena.org:tcs:personal-admin are required.
- schacHomeOrganization OR eduPersonOrgDN identifying the institution/subscriber of the person within the NREN. E.g. for schacHomeOrganization "uvt.nl", or for eduPersonOrgDN "o=Hogwarts, dc=hsww, dc=wiz". It is also possible to use the scope from the ePPN as an organizational identifier, if you do not have multi-domain institutions or the IdP's entityID if there is a one to one relationship between subscribers and IdPs
- some representation of the full name (e.g.: 'cn', but can be differently named attribute). This full name will be the Common Name of the issued certificate. Examples of a Common Name: "S. Kramer" or "Thijs Nijssen".
- the user's email address (e.g.: attribute 'mail', but can be a differently named attribute). Email addresses end up in the certificate. On a per NREN base, the portal can be configured to support more than one mail address.
Note The requirement that the unique identifier has to be the Using other unique identifiers than eduPersonPrincipalName will be changed possible with the next Confusa release 0.6 (which is due end of April 2010). |
...
A scary, lengthy, verbose form will appear. Don't panic, most of it is rather self-explaining. However, the first two steps are rather involved. In the section "Attribute name", enter the subscriber name as it is exported by the subscriber's IdP.
Example:
|
Next, you want to determine the organization name as it will go into the DN. That is really the string that will follow after the /O=... part of the certificate's subjectDN. Enter a more or less arbitrary value here, but think wisely before choosing it. Any change of the name will result in revocation of all certificates that were issued with that org-name. So you should choose a name for the subscriber that can stay stable over a longer period of time. In the eScience portal, that name will also be subject to Grid restrictions. I.e. it will only be allowed to contain ASCII characters and its length will be limited to 62 characters:
If your subscriber needs to use another attribute for the unique identifier as you have configured on the NREN-level, the form gives you the possibility to specify the name of that attribute. Untick the checkbox which says "Inherit from NREN-mapping" and enter the name of the attribute you want to configure for that particular subscriber. If the subscriber uses the same attribute for the UID as you have configured on the NREN-level, just leave the "Inherit from NREN-mapping" checkbox checked: 
The next few form fields are standard information about the subscriber, such as helpdesk information, contact information and so on. Fill in appropriate values into these fields. What's important is the subscriber state. Only if the subscriber state is "Subscribed", users of the subscriber can request certificates. So if (and only if) you have already cleared all contractual details with the subscriber you are adding, set the subscriber state to "Subscribed":
...
Now you can verify if the attribute mapping and the subscriber-adding was actually successful. Click on the portal title in the header bar of the portal and check the information that is displayed in the "Info about you" box. Especially have a look at the Full-DN and control if it includes sane values:
10. Add administrators for the configured subscribers
If you point your browser to "Portals" -> "Admins" you see two control fields. With the upper, you can add fellow NREN-administrators, while with the lower you can add admins for the subscribers within your constituency. The latter is more important initially, so your subscribers can start to take care of their own configuration.
For every configured subscriber in the "Change subscriber" list, enter one or several unique identifiers of the admins. If the configured unique identifier is eduPersonPrincipalName, add one or several ePPNs here.
Note: If a subscriber admin with that identifier logs on, he or she does not automatically have admin-status. Additionally, the right eduPersonEntitlement attribute must be set by the IdP. See The hitchhiker's guide to the TCS-personal galaxy for more details on this. |
11. Have Fika!
