Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


You can register your GEANT project or related service with the GEANT SAML proxy, so that it can use the existing authentication options such as eduGAIN, social media, guest IdPs, etc.

...

The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.


Please note that a list of all connected services will be made publicly available. This mean that your service can not be "hidden" or anything.

As a result, services are required to have a valid TLS configuration (including their SAML endpoints) using certificates from a trusted CA:

  • For production services that are operated by GEANT this must be a TCS certificate (Digicert at the moment).
  • For non-production services and services operated by 3rd parties, this can be any trusted CA, including LetsEncrypt.

Required information

 Please send the following information to aai-is@listshelp@geant.geant.org:


Very .namewiki
InformationDescriptionExamplestored in/mapped to (internally)
Technical contact
  • authentication issues
  • security issues
  • privacy issues
support@it.geant.orgcontacts['technical']
Support contact

"Generic" support questions for the actual service

  • how does it work

Usually the application administrators or the teams that run it.

support@it.geant.orgcontacts['support']
entityIDThe SAML entityID must be an HTTPS schema based. See https://github.com/REFEDS/MRPS/blob/v1/mrps.md#52-entityid-format and https://spaces.at.internet2.edu/display/InCFederation/Entity+IDs (which has recently moved to https://spaces.at.internet2.edu/display/federation/Entity+ID)
SAML Metadata

A URL to the XML metadata (preferred), or an XML metadata file. This file/URL should be valid SAML metadata containing at least the following elements:

  • "contacts"
    • one technical contact (for dealing with authentication/security/privacy issues)
    • one support contact (for generic application support questions)
  • "name" <= a very
Service name
  • short name to be shown in user interfaces
GÉANT Wiki
  • , for instance "GÉANT Intranet"
  • An X.509 certificate for signing requests
Service description

Longer descriptive text , for instance with details like:with at least:

  • The purpose of the service
  • Its intended audience
  • its Its status (production, testing, etc)
  • when it was set up
  • the software type/version it runs

Can contain URLs

Atlassian Confluence wiki, production instance.description
  • The date it went into production
  • The software it runs
Service URLThe actual URL to the main service, for instance https://intranet.geant.orgurlMetadataValid SAML2.0 metadata

a URL to the XML metadata (preferred), or an XML metadata file.

...

.





Supplied information


The SAML proxy will always provide the following attributes to its downstream services:

...

SAML attributeexample valueremarks
uidfederated-user-1234Unique user ID, always available.
mailuser@domainDefaults to the string 'invalid_email_needs_updating' if none was provided by the upstream IdP
displayNameRobert WagnerDefaults to the string 'first_name last_name' or similar if bit aren't provided by the upstream IdP
isMemberOf
  • GN_Services:GN Project Participants

  • GN4Phase3:WPs:WP9

  • GN4Phase1:SAs:GN4-1_SA3-T4

Multivalued attribute listing the CAMS group memberships.



Our endpoint

EntityID

https://login.terena.org/wayf/saml2/idp/metadata.php

Metadata URL

https://login.terena.org/wayf/saml2/idp/metadata.php
Metadata webpage, if your SP runs SimpleSAMLphphttps://login.terena.org/wayf/saml2/idp/metadata.php?output=xhtml


Service monitoring

At some stage there will be some monitoring set-up, to help ensure the service is conforming to basic requirements. The monitored items are expected to include:


  • Reachability of the Service URL
  • Configuration of the web server's TLS stack, using the SSLlabs test.
  • Clock skew, using HTTP Date header

Any alarms that are generated by these checks will be sent to the technical contact(s) that you configured.