FaaS is offered at no additional costs to GÉANT partners. If you are not GÉANT partner, but want to find the way to get our support, contact us (update link).
Request for the service
The request for the service is sent to the FaaS contact (update link) and should be sent by person who is eduGAIN SG delegate or SG deputy (if your NREN have signed the eduGAIN declaration) or by a recognised representative of the organisation confirmed with the GÉANT Partner Relations team. The request should contain name and email of people from your organisation who should be technical contacts for FaaS service (ideally the Federation operator personnel). Those contacts will be added to the firstname.lastname@example.org mailing list that is used for sending notifications about FaaS service that are of customers interest.
Information for the service request
In order to provide customized FaaS instance the request should have following information attached:
1. Desired fully qualified domain name (FQDN) of the web server, in your domain. Since this service is offered to your community by you as Federation operator, the service should be visible on your domain, with a name of your choice that you (and your community will) find fitting.
2. Details for a TLS certificate to secure the web server with https. For the security reasons, the certificate MUST be a single domain certificate (not a wildcard). You should send us:
2.1 Complete data for a CSR (Certificate Signing Request) for your preferred Certificate Authority (e.g. C, ST, L, O, OU, CN, email)
2.2 Preferred key size (2048bit or 4096bit) and signature hashing algorithm (e.g. SHA256 or SHA512)
2.3 URLs or certificate chain for any intermediary CA certificates (i.e., all certificates that are NOT the server certificate itself, also not the root CA certificate)
After receiving this information, FaaS operations will create the private key and will send you the CSR for signing. By using this procedure, the private key is never leaving the server. After you get the server certificate, you should send it back to us.
3. Support email address to be used for error and other messages sent from Jagger or system (ideally this should be your contact address for the federation operator team)
4. Hostname of the smarthost the server will send all emails (from step 3.) to for further delivery. You'll need to accept mails and allow relaying from the machine and we suggest to authorize relaying based on the IP address of the machine which we will announce you.
5. URL to a small logo that will be shown in the upper left corner of the Jagger UI (for example federation or NREN logo). Max height 40 px, recommended width 110px. If you don’t have an appropriate logo, we can leave this empty until you send us one. You can of course at any point change the logo by sending us a new one (as this needs to be configured on the system).
6. Short URL uniquely identifying your Federation (to be used as "Name", "registrationAuthority" and "publisher" in SAML metadata). We suggest to use the same value for all of them and propose to use the URL that would be based on the FQDN you chose in step 1.
7. List of shortest ISO 639 codes for language tags to be used in SAML Metadata (i.e., that will be present in language dropdown lists in Jagger UI edit forms). This should be all official languages of the regions served by your Federation, plus we'll always add "en"/English. For reference use the https://www.loc.gov/standards/iso639-2/php/code_list.php, where you should pick ISO 639-1 (2-letter code) if available or in other case use ISO 639-2 (3-letter code).
8. Shortest ISO 639 codes for language that will be used as default in language dropdown lists in Jagger UI edit forms. This must be one of the languages defined above.
9. If you are interested in translating Jagger then: list of usernames that would be allowed to translate Jagger and the language that those users would be translating to. Usernames should be EPPN that you will use to create local accounts at first.
Receiving your FaaS customized instance
After receiving the request, we will get back to you to confirm if the information you provided is complete or otherwise to support you in this process. After we have received the full information needed, we will issue the request for creating your instance which is usually completed in couple of work days.
To be able to access and fully use your instance several last steps need to be finalized:
- you will need to configure DNS CNAME record pointing from your chosen server name in your domain to the internal name of the machine that we will announce you;
- we will announce you the IP address of your machine so that you can setup appropriate filters in the mail smarthost;
- we will send you the default admin password for accessing your instance in a secure channel. You should access your instance with this account, create at least one personal admin account and then delete default one.