You are here

Joining eduGAIN as Identity Provider

To be able to join the eduGAIN federation :

1) if you didn't already do it during your registration to the Federation, you first need to print, complete, sign and return us this letter.

2) you need to modify your Shibboleth IdP configuration :

2.1) in [shibboleth directory]/conf/relying-party.xml :

you need to accept to receive metadata from eduGAIN service; thus following lines like the example below need to be added:

<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
...
        <!-- *******  eduGAIN Federation ******* -->
        <metadata:MetadataProvider id="URLMD4" xsi:type="metadata:FileBackedHTTPMetadataProvider"
                                   xmlns="urn:mace:shibboleth:2.0:metadata"
                                   metadataURL="http://mds.edugain.org"
                                   backingFile="/opt/shibboleth-idp/metadata/mds.edugain.org.xml" >
          <!-- Using chaining filter to allow us multiple filters to be added -->
           <metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
            <!-- Ensure the metadata has a reasonable (1 week) validity period. -->
            <!--  <metadata:MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
                            maxValidityInterval="P9D" /> -->
            <!--
                Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine'
                to determine its trustworthiness
            -->
              <metadata:MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                            trustEngineRef="eduGAIN.MetadataTrustEngine"
                            requireSignedMetadata="true" />
           </metadata:MetadataFilter>
        </metadata:MetadataProvider>
...

A bit further in the file, following lines need to be included in order to verify the validity of the signature of the eduGAIN data :

...
    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
    <security:TrustEngine id="eduGAIN.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="eduGAINCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/edugain-mds.cer</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
...

 

2.2) You need to download the certificate used to sign the eduGAIN's metadata :

Links is https://www.edugain.org/mds-2014.cer

Install it in [shibboleth directory]/credentials/ as specified in your relying-party.xml configuration.

3) in order to be fully compliant with eduGAIN requirements, you need to modify the metadata of your IdP to include following sections (to be added in the <EntityDescriptor> section :

   xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
   xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"

   Right after the <EntityDescriptor> part, the following part needs to be included :
        <Extensions>
            <mdrpi:RegistrationInfo registrationAuthority="http://federation.belnet.be/" registrationInstant="2012-03-27T12:00:00Z">
              <mdrpi:RegistrationPolicy xml:lang="en">http://federation.belnet.be/files/Belnet-metadata-registration-practice-statement.txt</mdrpi:RegistrationPolicy>
            </mdrpi:RegistrationInfo>
        </Extensions>
        
   In the <IDPSSODescriptor> part, the following needs to be present :

        <Extensions>
            <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">[YOUR DOMAIN]</shibmd:Scope>
             <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
                <mdui:DisplayName xml:lang="en">[YOUR INSTITUTION]</mdui:DisplayName>
                <mdui:Description xml:lang="en">[SMALL DESCRIPTION OF YOUR INSTITUTION]</mdui:Description>
                <mdui:Logo height="16" width="16">https://anyurlwithyourlogoaccessible/yoursmalllogo.png</mdui:Logo>
                <mdui:Logo height="75" width="153">https://anyurlwithyourlogoaccessible/yourbiglogo.png</mdui:Logo>

                               </mdui:UIInfo>
                                <mdui:DiscoHints xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
                                        <mdui:IPHint>[the IPv4 range you are using 193.190.x.y/mm</mdui:IPHint>
                                        <mdui:IPHint>2001:6a8:[your  IPV6 range]::/64</mdui:IPHint>
                                        <mdui:DomainHint>[YOUR DOMAIN]</mdui:DomainHint>
                                        <mdui:GeolocationHint>[YOUR GEO COORDINATES in format like geo:50.825312,4.365471]</mdui:GeolocationHint>
                                </mdui:DiscoHints>
        </Extensions>

The mdui:Logo are not mandatory, but gives a nice appeal when displayed in the discovery services of eduGAIN showing the logo of your institution (this discovery service is called discojuice). Watch out : in previous versions, we were asked to put base64 embedded logo in the <mdui:Logo> tags, but the size of the aggregated metadata has become larger and larger; thus now, it is asked to provide the logos as HTTPS URL with some recommendation over the maximum sizes (see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMDUIRecommendations for more informations).

4) when we have received your letter, we will publish your metadata in the Belnet's eduGAIN list of metadata that will be integrated in the global eduGAIN metadata.