Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
en:production [2017/08/30 17:01] – Raoul Gunnar Borenius | en:production [2021/12/29 14:19] – [SP Example] Wolfgang Pempe |
---|
| |
==== IdP Example ==== | ==== IdP Example ==== |
**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]]. | **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** |
| |
| **DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de). |
| |
For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: | For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: |
maxRefreshDelay="PT2H"> | maxRefreshDelay="PT2H"> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" |
certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/> | certificateFile="/etc/ssl/aai/dfn-aai.pem"/> |
</MetadataProvider> | </MetadataProvider> |
| |
maxRefreshDelay="PT2H"> | maxRefreshDelay="PT2H"> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" |
certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/> | certificateFile="/etc/ssl/aai/dfn-aai.pem"/> |
</MetadataProvider> | </MetadataProvider> |
| |
| |
==== SP Example ==== | ==== SP Example ==== |
| **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** |
| |
Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): | Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" | uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml" |
backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="EntityRoleWhiteList"> | <MetadataFilter type="EntityRoleWhiteList"> |
<RetainedRole>md:IDPSSODescriptor</RetainedRole> | <RetainedRole>md:IDPSSODescriptor</RetainedRole> |
| |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml" | uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml" |
backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="Blacklist" matcher="EntityAttributes"> | <MetadataFilter type="Blacklist" matcher="EntityAttributes"> |
<saml:Attribute Name="http://macedir.org/entity-category" | <saml:Attribute Name="http://macedir.org/entity-category" |
</file> | </file> |
| |
===== Central Discovery Service ===== | ===== Discovery Service ===== |
| |
** We recommend to implement an [[de:shibeds|Embedded Discovery Service]] on the sp because it's much more straight forward to use for the end user then our central service!** | ==== Embedded Discovery Service ==== |
| |
In case no SP-specific and/or [[de:shibeds|Embedded Discovery Service]] can be implemented, we provide a centralized | In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP. |
| |
| ==== Central Discovery Service ==== |
| |
| In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized |
discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). | discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). |
| |
| |
===Examples for Shibboleth SP=== | ===Examples for Shibboleth SP=== |
</SSO> | </SSO> |
</file> | </file> |
| |
| {{tag>idp4 tutorial discovery produktivbetrieb metadata}} |