Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:metadata_admin_tool [2017/06/15 21:24] – Wolfgang Pempe | en:metadata_admin_tool [2023/01/12 19:32] – Wolfgang Pempe | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Metadata Administration Tool ====== | ====== Metadata Administration Tool ====== | ||
- | This online tool allows for editing the SAML metadata of the participating entities (Identity Provider, Service Provider, Attribute Authorities) and the registration of those entities with the several | + | This online tool allows for editing the SAML metadata of the participating entities (Identity Provider, Service Provider, Attribute Authorities) and the registration of those entities with the [[en: |
- | For requesting | + | This is our [[https:// |
+ | |||
+ | |||
+ | |||
+ | ===== Accounts and account settings ===== | ||
+ | |||
+ | ==== How to get access | ||
+ | |||
+ | **Metadata admins can be appointed by the contractual or technical contact persons registered in the DFN-AAI contract database.** In the metadata administration tool, these persons are listed with the contract data of your organization or company. | ||
+ | |||
+ | If you signed a contract for DFN-AAI with us in one of those roles, you can just send us an e-mail | ||
+ | |||
+ | * first and last name, | ||
+ | * the e-mail address and | ||
+ | * the business telephone number. | ||
+ | |||
+ | The user credentials will then be sent directly to each of the new metadata admins. | ||
+ | |||
+ | Please note that we added a new role called " | ||
+ | |||
+ | ==== How to get your initial credentials for the new tool ==== | ||
+ | Your old credentials will not work in the new metadata admin tool (released Nov. 9th). You will receive an invitation link to the e-mail address you registered with. Follow the link in the e-mail. It only works once, though. If you followed the link earlier but did not set a password, please | ||
+ | |||
+ | ==== Two factor authentication ==== | ||
+ | Configuring a second factor for login is **mandatory**. Right after your initial login you are asked to register a TOTP device. | ||
+ | |||
+ | * You can either use a TOTP app on your smartphone, or a password manager that supports TOTP. | ||
+ | * Step 1: Enter a name for the device you want to register, e.g. " | ||
+ | * If you are using an authenticator app on a phone, scan the QR code and confirm the device by entering a code the app generates. | ||
+ | * If you are using a different application, | ||
+ | * Step 2: Generate emergency codes. | ||
+ | * You should generate a set of emergency codes just in case you lose your second factor. Each of them can be used once as the second factor for a login. Keep the emergency codes in a safe place. | ||
+ | * If your emergency codes are lost or compromised you can invalidate them here. | ||
+ | * You can return to your 2FA configuration later by choosing " | ||
+ | |||
+ | === How to configure 2FA upon second login === | ||
+ | |||
+ | If you logged out after your initial login without adding a second factor, you can **ONCE** request a token via e-mail. To do so, go to the login page, enter your user name (which is your e-mail address) and your password and press submit. If this is you first attempt to do this, the tool will offer you to send you a token. Once you have got it and logged in with it, **please register your second factor immediately** as this procedure will not work again. | ||
+ | |||
+ | ==== Password changes ==== | ||
+ | * Expand the menu underneath your user name in the top right corner and select " | ||
+ | * Enter your old password once for confirmation. Enter your new password twice. Note the list of possible characters in a password. | ||
+ | * Save the new password. | ||
+ | |||
+ | |||
+ | ==== New role: Subadmin ==== | ||
+ | In the new metadata administration tool the role of subadmins is a new feature. It enables regular metadata admins to delegate the administration of metadata of individual IdPs/SPs to third parties. They do not have to involve DFN-AAI hotline into account creation for subadmins. (Regular metadata admins with full access still have to be registered via the hotline though.) | ||
+ | |||
+ | Subadmins have limited permissions. They can | ||
+ | * see the overview containing the information about your organization including the contact | ||
+ | * view the metadata of all IdPs/SPs you have entered, | ||
+ | * edit the metadata of systems delegated to them, | ||
+ | * view the version history of systems delegated to them, | ||
+ | * upload logos and favicons. | ||
+ | |||
+ | Subadmins cannot: | ||
+ | * edit the details about your organization, | ||
+ | * add new IdPs/SPs | ||
+ | * delete the entire metadata of an entity, | ||
+ | * edit scopes. | ||
+ | |||
+ | ==== Invitation of subadmins ==== | ||
+ | |||
+ | * Go to the overview of your organization (the page that you see after login). | ||
+ | * Expand the " | ||
+ | * Enter the e-mail address of the person you would like to invite and click " | ||
+ | * In the next step, add some information about the new subadmin. The e-mail address, the first name, the last name and the phone number are required fields. | ||
+ | * In the section " | ||
+ | * Subadmins cannot add new entities! Please add the entity a subadmin shall be responsible for yourself, then delegate it. | ||
+ | * Save your changes. | ||
+ | * You are redirected to overview. In the users list you can now see the newly added account. On the right side you have buttons to edit or delete the subadmin' | ||
+ | |||
+ | ===== Your organization' | ||
+ | After logging in you are presented an overview of everything linked to your organization. If you are a metadata admin for more than one organization, | ||
+ | |||
+ | The overview of an organization contains the following sections that are all collapsed when you open the page: | ||
+ | |||
+ | * **Certificate expiration warnings:** If any of your systems only has a certificate that will expire within the next 30 days or that has already expired, the first thing you see is a red section. Expand it to jump directly to the affected entity. | ||
+ | * **Information on the institution: | ||
+ | * **Contracts**: | ||
+ | * In this section you can find all information concerning your DFN-AAI | ||
+ | * **Local Metadata:** This section contains a list of all entities that have been added to the [[en: | ||
+ | * **Users:** Here you can find the list of all metadata admins that have access to this organization' | ||
+ | * **Entities: | ||
+ | * **Entity Lists:** If you see this section, your organization manages an [[en:entity_attributes# | ||
+ | * **Logos and Scopes:** Here you upload all logos and favicons, as well as the scopes you need across all your entities. When editing an individual entity you assign logos, favicons and a scope from this pool. | ||
+ | |||
+ | |||
+ | ===== The list of entities ===== | ||
+ | Expand the section " | ||
+ | - edit the entity | ||
+ | - view the metadata of the entity (xml in browser) | ||
+ | - download the metadata of the entity | ||
+ | - delete the entity | ||
+ | - view the version history of the entity. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ===== How to add an IdP/SP ===== | ||
+ | * Go to the overview of your organization and expand the section " | ||
+ | * You then see the list o existing entities (if there are any). | ||
+ | * On top of the list, there are two buttons: | ||
+ | * " | ||
+ | * Copy the xml metadata of your IdP resp. SP into the text field and click " | ||
+ | * The new metadata entry has now been added. | ||
+ | * Check the form, adapt the information if needed and click " | ||
+ | * " | ||
+ | * Here you get an empty form where you have to enter all information yourself. | ||
+ | |||
+ | ===== How to edit an IdP/SP ===== | ||
+ | * Go to the overview of your organization and expand the section " | ||
+ | * In the list of your IdPs/SPs the first action button (on the right side) takes you to edit mode. | ||
+ | * Each section of the edit form contains a short help text. You can also find the help texts on-wiki in our [[en: | ||
+ | * To save an edit click " | ||
+ | |||
+ | |||
+ | ===== Logos and favicons ===== | ||
+ | * For security reasons the new metadata administration tool no longer fetches (new) logos from the internet. All new logos must be uploaded to the tool which then delivers the files. | ||
+ | * You can find the section "Logos and Scopes" | ||
+ | * On the next screen choose betweens the two tabs " | ||
+ | * Each tab shows you the logos / favicons that were already uploaded. You can also see in which metadata entries they are used. | ||
+ | * Click " | ||
+ | * Select a file from your local computer and choose a meaningful name for the list. | ||
+ | * If your file does not comply with the image size that can be displayed in the common UI interfaces, you can let our server scale it for you by ticking " | ||
+ | |||
+ | ===== Main differences between old and new MD admin tool ===== | ||
+ | ^ old ^ new ^ | ||
+ | | password login only | **2FA** is mandatory | | ||
+ | | self-signed certificate had to be verified by the hotline | **Self-signed certificates** can be used without hotline interaction | | ||
+ | | All metadata admins had write access to everything in the organization' | ||
+ | | Logos/ | ||
+ | | New entities could be added by fetching xml metadata from a remote URL. | Existing **xml metadata files** can be uploaded. | | ||
+ | | Scopes were entered in the IdP metadata form. | **Scopes** are regarded as meta information that is maintained on the level of the organization. They can then be assigned to individual IdPs. | | ||
- | URL of the login page: https:// | ||
- | **Next step:** [[en: |