Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:metadata_admin_tool [2022/11/02 14:33] – [Main differences between old and new MD admin tool] Silke Meyeren:metadata_admin_tool [2024/02/21 11:32] (current) Wolfgang Pempe
Line 1: Line 1:
 ====== Metadata Administration Tool ====== ====== Metadata Administration Tool ======
-This online tool allows for editing the SAML metadata of the participating entities (Identity Provider, Service Provider, Attribute Authorities) and the registration of those entities with the several [[en:metadata|metadata sets]] published by the DFN-AAI. Each home organization resp. service provider operator is granted access after signing the paperwork with us (see [[en:registration|Registration]]). You can find the metadata administration tool at +This online tool allows for editing the SAML metadata of the participating entities (Identity Provider, Service Provider, Attribute Authorities) and the registration of those entities with the  [[en:metadata|metadata sets]] published by the DFN-AAI. Each home organization resp. service provider operator is granted access after signing the paperwork with us (see [[en:registration|Registration]]). You can find the metadata administration tool at https://mdv.aai.dfn.de.
  
-  * https://www.aai.dfn.de/en/administration(until Nov 8th, 2022) +This is our [[https://www.aai.dfn.de/fileadmin/documents/mrps_dfn-aai_1.0.pdf|Metadata Registration Practice Statement]].
-  * https://mdv.aai.dfn.de (as of Nov 9th, 2022)+
  
-[[https://www.aai.dfn.de/fileadmin/documents/mrps_dfn-aai_1.0.pdf|Metadata Registration Practice Statement]] 
  
-<callout color="#ff9900" title="Introduction of a new metadata admin tool in November 2022"> 
-We will introduce a new tool for metadata administration on Nov. 9th, 2022. Read how to use it below. 
-</callout> 
  
 ===== Accounts and account settings ===== ===== Accounts and account settings =====
Line 17: Line 12:
 **Metadata admins can be appointed by the contractual or technical contact persons registered in the DFN-AAI contract database.** In the metadata administration tool, these persons are listed with the contract data of your organization or company. **Metadata admins can be appointed by the contractual or technical contact persons registered in the DFN-AAI contract database.** In the metadata administration tool, these persons are listed with the contract data of your organization or company.
  
-If you signed a contract for DFN-AAI with us in one of those roles, you can just send us an email to hotline@aai.dfn.de containing the following information for each person designated as metadata admin:+If you signed a contract for DFN-AAI with us in one of those roles, you can just send us an e-mail to hotline@aai.dfn.de containing the following information for each person designated as metadata admin:
  
   * first and last name,   * first and last name,
Line 27: Line 22:
 Please note that we added a new role called "subadmin" (as of 11/9/2022). Metadata admins can invite subadmins independently and delegate the administration of metadata of individual IdPs/SPs to them. (See below for details.) Please note that we added a new role called "subadmin" (as of 11/9/2022). Metadata admins can invite subadmins independently and delegate the administration of metadata of individual IdPs/SPs to them. (See below for details.)
  
-==== How to get your initial credentials for the new tool ==== +==== How to get your initial credentials for the MD Admin Tool ==== 
-Your old credentials will not work in the new metadata admin tool (released Nov. 9th). You will receive an invitation link to the email address you registered with. Follow the link in the email. It only works once, though. If you followed the link earlier but did not set a password, please use the password reset link.+You will receive an invitation link to the e-mail address you registered with. Follow the link in the e-mail. It only works once, though. If you followed the link earlier but did not set a password, please use the password reset link.
  
 ==== Two factor authentication ==== ==== Two factor authentication ====
Line 40: Line 35:
     * You should generate a set of emergency codes just in case you lose your second factor. Each of them can be used once as the second factor for a login. Keep the emergency codes in a safe place.     * You should generate a set of emergency codes just in case you lose your second factor. Each of them can be used once as the second factor for a login. Keep the emergency codes in a safe place.
     * If your emergency codes are lost or compromised you can invalidate them here.     * If your emergency codes are lost or compromised you can invalidate them here.
-  * You can return to your 2FA configuration later by choosing "2FA" in the menu underneath your email address in the top right corner.+  * You can return to your 2FA configuration later by choosing "2FA" in the menu underneath your e-mail address in the top right corner.
  
 === How to configure 2FA upon second login === === How to configure 2FA upon second login ===
  
-If you logged out after your initial login without adding a second factor, you can **ONCE** request a token via email. To do so, go to the login page, enter your user name (which is your email address) and your password and press submit. If this is you first attempt to do this, the tool will offer you to send you a token. Once you have got it and logged in with it, **please register your second factor immediately** as this procedure will not work again.+If you logged out after your initial login without adding a second factor, you can **ONCE** request a token via e-mail. To do so, go to the login page, enter your user name (which is your e-mail address) and your password and press submit. If this is you first attempt to do this, the tool will offer you to send you a token. Once you have got it and logged in with it, **please register your second factor immediately** as this procedure will not work again.
  
 ==== Password changes ==== ==== Password changes ====
Line 52: Line 47:
  
  
-==== New role: Subadmin ====+==== Further role: Subadmin ====
 In the new metadata administration tool the role of subadmins is a new feature. It enables regular metadata admins to delegate the administration of metadata of individual IdPs/SPs to third parties. They do not have to involve DFN-AAI hotline into account creation for subadmins. (Regular metadata admins with full access still have to be registered via the hotline though.) In the new metadata administration tool the role of subadmins is a new feature. It enables regular metadata admins to delegate the administration of metadata of individual IdPs/SPs to third parties. They do not have to involve DFN-AAI hotline into account creation for subadmins. (Regular metadata admins with full access still have to be registered via the hotline though.)
  
Line 64: Line 59:
 Subadmins cannot: Subadmins cannot:
   * edit the details about your organization,   * edit the details about your organization,
-  * change the degree of reliance, 
   * add new IdPs/SPs   * add new IdPs/SPs
   * delete the entire metadata of an entity,   * delete the entire metadata of an entity,
Line 73: Line 67:
   * Go to the overview of your organization (the page that you see after login).   * Go to the overview of your organization (the page that you see after login).
   * Expand the "Users" section and click "Invite Subadmin".   * Expand the "Users" section and click "Invite Subadmin".
-  * Enter the email address of the person you would like to invite and click "Invite user and manage permissions"+  * Enter the e-mail address of the person you would like to invite and click "Invite user and manage permissions"
-  * In the next step, add some information about the new subadmin. The email address, the first name, the last name and the phone number are required fields.+  * In the next step, add some information about the new subadmin. The e-mail address, the first name, the last name and the phone number are required fields.
   * In the section "Permissions" there is a list of all your IdPs and SPs. You can grant the subadmin write access to individual entities. The subadmin will not be able to edit the other ones.   * In the section "Permissions" there is a list of all your IdPs and SPs. You can grant the subadmin write access to individual entities. The subadmin will not be able to edit the other ones.
   * Subadmins cannot add new entities! Please add the entity a subadmin shall be responsible for yourself, then delegate it.   * Subadmins cannot add new entities! Please add the entity a subadmin shall be responsible for yourself, then delegate it.
Line 87: Line 81:
   * **Certificate expiration warnings:** If any of your systems only has a certificate that will expire within the next 30 days or that has already expired, the first thing you see is a red section. Expand it to jump directly to the affected entity.   * **Certificate expiration warnings:** If any of your systems only has a certificate that will expire within the next 30 days or that has already expired, the first thing you see is a red section. Expand it to jump directly to the affected entity.
   * **Information on the institution:** Here you edit the display name and the information URL of your organization. The information is automatically added to the ''<Organization>'' element of your metadata. Click into the lines for German and/or English to edit them.   * **Information on the institution:** Here you edit the display name and the information URL of your organization. The information is automatically added to the ''<Organization>'' element of your metadata. Click into the lines for German and/or English to edit them.
-  * **Contracts and degree of reliance**: +  * **Contracts**: 
     * In this section you can find all information concerning your DFN-AAI contract resp. your SP Agreement. **Please check if everything is up-to-date from time to time and let your hotline know about any changes!** The contact persons who signed the contract are especially important as they are the only ones entitled to name metadata admins with full access to the account. (Subadmins, however, can also be invited by regular metadata admins.)     * In this section you can find all information concerning your DFN-AAI contract resp. your SP Agreement. **Please check if everything is up-to-date from time to time and let your hotline know about any changes!** The contact persons who signed the contract are especially important as they are the only ones entitled to name metadata admins with full access to the account. (Subadmins, however, can also be invited by regular metadata admins.)
-    * If your organization operates an Identity Provider, you can find the [[en:degrees_of_reliance|degree of reliance]] underneath the contract information (until the end of 2022). Regular metadata admins can edit the degree of reliance here. 
   * **Local Metadata:** This section contains a list of all entities that have been added to the [[en:metadata_local|local metadata]] we generate for your organization. You can also find the download URL as well as a possibility to limit access to the download URL.   * **Local Metadata:** This section contains a list of all entities that have been added to the [[en:metadata_local|local metadata]] we generate for your organization. You can also find the download URL as well as a possibility to limit access to the download URL.
   * **Users:** Here you can find the list of all metadata admins that have access to this organization's data. We distinguish between regular metadata admins with full access to the organization and [[en:metadata_admin_tool#new_rolesubadmin|subadmins]] with write access to selected entities. Regular metadata admins can invite subadmins here.   * **Users:** Here you can find the list of all metadata admins that have access to this organization's data. We distinguish between regular metadata admins with full access to the organization and [[en:metadata_admin_tool#new_rolesubadmin|subadmins]] with write access to selected entities. Regular metadata admins can invite subadmins here.
   * **Entities:** Here you can access the Identity Providers, Service Providers and/or Attribute Authorities of your organization.   * **Entities:** Here you can access the Identity Providers, Service Providers and/or Attribute Authorities of your organization.
   * **Entity Lists:** If you see this section, your organization manages an [[en:entity_attributes#entity_categories|Entity Category]]. Here you can control which entities are part of it.   * **Entity Lists:** If you see this section, your organization manages an [[en:entity_attributes#entity_categories|Entity Category]]. Here you can control which entities are part of it.
-  * **Logos and Scopes:** Here you upload all logos and favicons, as well as the scopes you need across all your entities. When editing an individual entity you assign logos, favicons and a scope from this pool.+  * **Logos and Scopes:** Here you upload all logos and favicons, as well as the scopes you need across all your entities. When editing an individual entity you assign logos, favicons and a scope from this pool. Newly added scopes must be approved by the DFN-AAI Team.
  
  
Line 135: Line 128:
   * If your file does not comply with the image size that can be displayed in the common UI interfaces, you can let our server scale it for you by ticking "Autoscale". The metadata administration tool does not accept any logos or favicons that are too big or too small. Thus, if you do not enable autoscaling you have to make sure the images have the correct size.{{:en:metadata_admin_tool:logos-en.png?600 |}}   * If your file does not comply with the image size that can be displayed in the common UI interfaces, you can let our server scale it for you by ticking "Autoscale". The metadata administration tool does not accept any logos or favicons that are too big or too small. Thus, if you do not enable autoscaling you have to make sure the images have the correct size.{{:en:metadata_admin_tool:logos-en.png?600 |}}
  
-===== Main differences between old and new MD admin tool ===== 
-^ old ^ new ^ 
-| password login only | **2FA** is mandatory | 
-| self-signed certificate had to be verified by the hotline | **Self-signed certificates** can be used without hotline interaction | 
-| All metadata admins had write access to everything in the organization's account. | Metadata admins can add **subadmins** and delegate certain metadata entries to them. | 
-| Logos/Favicons were published in the metadata as external URLs. It was possible to link to images with unsuitable sizes. | (New) **Logos/Favicons** are uploaded to the tool and delivered by it. Files are scaled to the right size during the upload. | 
-| New entities could be added by fetching xml metadata from a remote URL. | Existing **xml metadata files** can be uploaded. | 
-| Scopes were entered in the IdP metadata form. | **Scopes** are regarded as meta information that is maintained on the level of the organization. They can then be assigned to individual IdPs. | 
- 
-{{tag>mdvdoku}} 
  • Last modified: 2 years ago