Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:production [2023/01/09 14:22] – tags Silke Meyeren:production [2023/01/12 19:38] (current) Wolfgang Pempe
Line 7: Line 7:
 ===== 1. Metadata Administration Tool ===== ===== 1. Metadata Administration Tool =====
  
-Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf[[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team.+Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set(s) that is considered to fit best the needs for productive operations, i.e. at least DFN-AAI and - if applicable - eduGAIN. The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team.
  
 {{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}} {{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
Line 85: Line 85:
 **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].**
  
-Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic"as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):+Communication with all productive IdPs in DFN-AAI as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):
  
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
Line 98: Line 98:
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="Blacklist" matcher="EntityAttributes">+   <MetadataFilter type="Exclude" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"         <saml:Attribute Name="http://macedir.org/entity-category" 
              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
Line 107: Line 107:
 </file> </file>
  
-The following example shows how to restrict the metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced': +\\
- +
-<file xml /etc/shibboleth/shibboleth2.xml> +
-<MetadataProvider type="XML" validate="true" +
-      url="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" +
-      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> +
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> +
-   <MetadataFilter type="Include" matcher="EntityAttributes"> +
-      <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +
-           <saml:AttributeValue>advanced</saml:AttributeValue> +
-      </saml:Attribute> +
-   </MetadataFilter> +
-</MetadataProvider> +
- +
-</file> +
  
 ===== Discovery Service ===== ===== Discovery Service =====
Line 145: Line 130:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degrees of Reliance "Advanced" + "Basic")** +**All productive IdPs in DFN-AAI**
-<file xml /etc/shibboleth/shibboleth2.xml> +
-<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Basic/wayf"> +
-    SAML2 +
-</SSO> +
-</file> +
- +
-**All IdPs in DFN-AAI with Degree of Reliance "Advanced"**+
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf">
Line 159: Line 137:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degree of Reliance "Advanced" + "Basic"and eduGAIN**+**All productive IdPs in DFN-AAI and in eduGAIN**
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf">
  • Last modified: 15 months ago