Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
en:production [2017/07/06 14:14] – Wolfgang Pempe | en:production [2022/05/24 13:13] – [1. Metadata Administration Tool] Added screenshots Silke Meyer |
---|
===== 1. Metadata Administration Tool ===== | ===== 1. Metadata Administration Tool ===== |
| |
Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the entity will be unlocked. | Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team. |
| |
| **current/old metadata administration tool:**\\ |
| {{:en:metadata_admin_tool:in-progress.png?600|}} |
| |
| **upcoming/new metadata administration tool:**\\ |
| {{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}} |
===== 2. Configuration Changes ===== | ===== 2. Configuration Changes ===== |
| |
**NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. | **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. |
| |
**SP Operators** decide which [[en:degrees_of_reliance|Degree of Reliance]] they require for accessing the protected resources. The audience can be restricted to IdPs of the Degree of Reliance "Advanced" by chosing ''dfn-aai-metadata.xml''. The metadata file ''dfn-aai-basic-metadata.xml'' comprises *all* productive IdPs in DFN-AAI, both "Basic" and "Advanced". | **SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment. |
| |
**IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment. | **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment. |
| |
| ^ IdP / AA ^ SP ^ | | ^ IdP / AA ^ SP ^ |
^ Advanced | ''dfn-aai-sp-metadata.xml'' | ''dfn-aai-metadata.xml'' | | ^ DFN-AAI | ''dfn-aai-sp-metadata.xml'' | ''dfn-aai-idp-metadata.xml'' | |
^ Basic | ''dfn-aai-sp-metadata.xml'' | -- | | |
^ Advanced + Basic | -- | ''dfn-aai-basic-metadata.xml'' | | |
^ eduGAIN | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | | ^ eduGAIN | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | |
^ Local Metadata | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml''* | | ^ Local Metadata | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml''* | |
| |
==== IdP Example ==== | ==== IdP Example ==== |
**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]]. | **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** |
| |
| **DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de). |
| |
For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: | For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: |
xsi:type="FileBackedHTTPMetadataProvider" | xsi:type="FileBackedHTTPMetadataProvider" |
backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml" | backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml" |
metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml" | metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml" |
maxRefreshDelay="PT2H"> | maxRefreshDelay="PT2H"> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" |
certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/> | certificateFile="/etc/ssl/aai/dfn-aai.pem"/> |
</MetadataProvider> | </MetadataProvider> |
| |
xsi:type="FileBackedHTTPMetadataProvider" | xsi:type="FileBackedHTTPMetadataProvider" |
backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml" | backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml" |
metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml" | metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml" |
maxRefreshDelay="PT2H"> | maxRefreshDelay="PT2H"> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" |
certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/> | certificateFile="/etc/ssl/aai/dfn-aai.pem"/> |
</MetadataProvider> | </MetadataProvider> |
| |
| |
==== SP Example ==== | ==== SP Example ==== |
| **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** |
| |
Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): | Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" | uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" |
backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="EntityRoleWhiteList"> | |
<RetainedRole>md:IDPSSODescriptor</RetainedRole> | |
</MetadataFilter> | |
</MetadataProvider> | </MetadataProvider> |
| |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml" | uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml" |
backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="Blacklist" matcher="EntityAttributes"> | <MetadataFilter type="Blacklist" matcher="EntityAttributes"> |
<saml:Attribute Name="http://macedir.org/entity-category" | <saml:Attribute Name="http://macedir.org/entity-category" |
</saml:Attribute> | </saml:Attribute> |
</MetadataFilter> | </MetadataFilter> |
<MetadataFilter type="EntityRoleWhiteList"> | |
<RetainedRole>md:IDPSSODescriptor</RetainedRole> | |
</MetadataFilter> | |
</MetadataProvider> | </MetadataProvider> |
</file> | </file> |
| |
| The following example shows how to restrict the metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced': |
| |
| <file xml /etc/shibboleth/shibboleth2.xml> |
| <MetadataProvider type="XML" validate="true" |
| url="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" |
| backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> |
| <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
| <MetadataFilter type="Include" matcher="EntityAttributes"> |
| <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
| <saml:AttributeValue>advanced</saml:AttributeValue> |
| </saml:Attribute> |
| </MetadataFilter> |
| </MetadataProvider> |
| |
| </file> |
| |
| |
===== Discovery Service ===== | ===== Discovery Service ===== |
In case no SP-specific and/or [[de:shibeds|Embedded Discovery Service]] is used, an **SP** can choose between several Discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). | |
| ==== Embedded Discovery Service ==== |
| |
| In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP. |
| |
| ==== Central Discovery Service ==== |
| |
| In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized |
| discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). |
| |
===Examples for Shibboleth SP=== | ===Examples for Shibboleth SP=== |
| |
**Local SP** | **Local IdP only** |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
<SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth"> | <SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth"> |
</SSO> | </SSO> |
</file> | </file> |
| |
| {{tag>idp4 tutorial discovery produktivbetrieb metadata}} |