Both sides previous revision Previous revision | |
en:production [2023/01/09 14:22] – tags Silke Meyer | en:production [2023/01/12 19:38] (current) – Wolfgang Pempe |
---|
===== 1. Metadata Administration Tool ===== | ===== 1. Metadata Administration Tool ===== |
| |
Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team. | Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set(s) that is considered to fit best the needs for productive operations, i.e. at least DFN-AAI and - if applicable - eduGAIN. The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team. |
| |
{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}} | {{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}} |
**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** | **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** |
| |
Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): | Communication with all productive IdPs in DFN-AAI as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): |
| |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="Blacklist" matcher="EntityAttributes"> | <MetadataFilter type="Exclude" matcher="EntityAttributes"> |
<saml:Attribute Name="http://macedir.org/entity-category" | <saml:Attribute Name="http://macedir.org/entity-category" |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
</file> | </file> |
| |
The following example shows how to restrict the metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced': | \\ |
| |
<file xml /etc/shibboleth/shibboleth2.xml> | |
<MetadataProvider type="XML" validate="true" | |
url="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" | |
backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> | |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> | |
<MetadataFilter type="Include" matcher="EntityAttributes"> | |
<saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | |
<saml:AttributeValue>advanced</saml:AttributeValue> | |
</saml:Attribute> | |
</MetadataFilter> | |
</MetadataProvider> | |
| |
</file> | |
| |
===== Discovery Service ===== | ===== Discovery Service ===== |
</file> | </file> |
| |
**All productive IdPs in DFN-AAI (Degrees of Reliance "Advanced" + "Basic")** | **All productive IdPs in DFN-AAI** |
<file xml /etc/shibboleth/shibboleth2.xml> | |
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Basic/wayf"> | |
SAML2 | |
</SSO> | |
</file> | |
| |
**All IdPs in DFN-AAI with Degree of Reliance "Advanced"** | |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> | <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> |
</file> | </file> |
| |
**All productive IdPs in DFN-AAI (Degree of Reliance "Advanced" + "Basic") and eduGAIN** | **All productive IdPs in DFN-AAI and in eduGAIN** |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> | <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> |