Accessing the service
Your FaaS toolbox will be available on the server name that you have chosen on requesting the service. Due to security reasons the service is only available via HTTPS.
User guide
This guide is aimed to assist Federation Operators to use Resource registry tool. Guide is available at FaaS_user_guide.
Metadata
Generated Metadata aggregates
Every FaaS toolbox produces three SAML Metadata documents, signed with XMLdsig using the HSM-protected private key:
- edugain-upstream.xml:
- Content: Locally registered entities that chose to be members of eduGAIN in the registry application;
- Audience: For the eduGAIN MDS to harvest, verify and re-publish.
- federation-downstream.xml
- Content: Locally registered entities that joined the local federation in the registry application, plus any interfederation entities recieved from eduGAIN;
- Audience: This is the main federation aggregate and the only SAML Metadata document that would be published for all federation members to consume.
- local-entities-downstream.xml
- Content: Only locally registered entities (as above), but no entities from eduGAIN;
- Audience: This agggregate should only be used in exceptional circumstances. It is intended to be consumed by locally registered Service Providers that have not joined eduGAIN and (likely) never will, and that either have issues using the
federation-downstream.xmlaggregate (above) due to its size, or expect a selection of only locally registered Identity Providers. (For the latter case there are other workarounds, also provided by the FaaS toolbox.)
These files are available at the URL https://$FQDN/md/$FILENAME where $FQDN is the web server name chosen for the instance, and$FILENAME is the file name as explained above.
(Re-)Publishing Metadata
The FaaS infrastructure is not run with special precautions to provide High Availability. The availability of FaaS system is designed according to its purpose as a "management" tool that only needs to be available when someone intends to make changes to entities in a federation and to pick up changes from eduGAIN (once a day). In order to avoid a run-time dependency on the availability of the FaaS toolbox for the whole federation, we strongly advise to regulary download those metadata files to some other server in your competence (e.g. with cron and wget or curl) and publish and promote usage of those URLs instead, for consumption by federation members and eduGAIN. (You can also freely chose different file names for these SAML Metadata documents.)
All SAML Metadata documents published by your federation require verification of the cryptographic signature (XMLDsig) on that metadata against this Metadata Signing Key which you need to safely distribute to your federation members. Trust in any information contained in SAML Metadata published by your federation should only be derived from a valid signature with that key, not based on the URL the metadata is downloaded from.
Based on the previous, you should:
- Regularly download generated metadata from your FaaS instance and store it on another server;
- Publish that location (on your other) server to your federation members, pointing at the URL that has the conent of
federation-downstream.xml - Distribute the Metadata Signing Key to your federation members (you can rename the certificate as desired);
- To connect to eduGAIN follow the official checklist for joining and for step three "Metadata source and signing certificate" do the following:
- For "Metadata source" send the location on your (other) server where you copy the
edugain-upstream.xmlfile to. - For "Signing certificate" just note that you are FaaS customer as eduGAIN operations team already have it.
- For "Metadata source" send the location on your (other) server where you copy the
Note: Joining eduGAIN is not in jurisdiction of FaaS service and for all eduGAIN related matter you shoud refer to offical eduGAIN web site.