Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:production [2019/05/16 12:55] Wolfgang Pempeen:production [2023/01/12 19:38] (current) Wolfgang Pempe
Line 7: Line 7:
 ===== 1. Metadata Administration Tool ===== ===== 1. Metadata Administration Tool =====
  
-Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf[[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the entity will be unlocked.+Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set(s) that is considered to fit best the needs for productive operations, i.e. at least DFN-AAI and - if applicable - eduGAIN. The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team.
  
 +{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
 ===== 2. Configuration Changes ===== ===== 2. Configuration Changes =====
  
Line 17: Line 18:
 **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]].
  
-**SP Operators** decide which [[en:degrees_of_reliance|Degree of Reliance]] they require for accessing the protected resources. The audience can be restricted to IdPs of the Degree of Reliance "Advanced" by chosing ''dfn-aai-metadata.xml''. The metadata file ''dfn-aai-basic-metadata.xml'' comprises *all* productive IdPs in DFN-AAI, both "Basic" and "Advanced".+**SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment.
  
 **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment. **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment.
Line 24: Line 25:
  
 |                   ^ IdP / AA                            ^ SP                                   ^ |                   ^ IdP / AA                            ^ SP                                   ^
-Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             +DFN-AAI          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-idp-metadata.xml''             |
-^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   | +
-^ Advanced + Basic  | --                                  | ''dfn-aai-basic-metadata.xml''       |+
 ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' |
 ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' | ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' |
Line 32: Line 31:
  
 ==== IdP Example ==== ==== IdP Example ====
-**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]].+**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** 
 + 
 +**DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de).
  
 For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**:
Line 53: Line 54:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
          
Line 63: Line 64:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
  
Line 73: Line 74:
  
 ==== SP Example ==== ==== SP Example ====
-For metadata download URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]]. 
  
-Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic"as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):+<callout type="danger" title="Important note: Make sure that redirectLimit is set to the value 'host' or 'exact'!"> 
 +Please make sure that in **''shibboleth2.xml''** in all **''<Sessions>''** elements the XML attribute **''redirectLimit''**  
 +  - is set and 
 +  - has the value **''host''** or **''exact''**! (if necessary in combination with ''allow''
 +This measure prevents the possible open redirect misuse of the SP e.g. in the context of a phishing attack, cf. https://shibboleth.atlassian.net/browse/SSPCPP-714.  
 +For more information on the configuration parameters of the ''<Sessions>'' element see the [[https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions|Shibboleth Wiki]]. 
 +</callout> 
 + 
 +**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** 
 + 
 +Communication with all productive IdPs in DFN-AAI as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):
  
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" +      uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" 
-      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> +      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> 
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="EntityRoleWhiteList"> +
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> +
-    </MetadataFilter>+
 </MetadataProvider> </MetadataProvider>
  
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+      uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> +   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> 
-   <MetadataFilter type="Blacklist" matcher="EntityAttributes">+   <MetadataFilter type="Exclude" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"         <saml:Attribute Name="http://macedir.org/entity-category" 
              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
Line 97: Line 104:
        </saml:Attribute>        </saml:Attribute>
    </MetadataFilter>    </MetadataFilter>
-   <MetadataFilter type="EntityRoleWhiteList"> 
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> 
-    </MetadataFilter> 
 </MetadataProvider> </MetadataProvider>
 </file> </file>
 +
 +\\
  
 ===== Discovery Service ===== ===== Discovery Service =====
Line 107: Line 113:
 ==== Embedded Discovery Service ==== ==== Embedded Discovery Service ====
  
-In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibeds|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP.+In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP.
  
 ==== Central Discovery Service ==== ==== Central Discovery Service ====
  
-In case no SP-specific and/or [[de:shibeds|Embedded Discovery Service]] can be implemented, we provide a centralized+In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized
 discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]).
  
Line 124: Line 130:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degrees of Reliance "Advanced" + "Basic")** +**All productive IdPs in DFN-AAI**
-<file xml /etc/shibboleth/shibboleth2.xml> +
-<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Basic/wayf"> +
-    SAML2 +
-</SSO> +
-</file> +
- +
-**All IdPs in DFN-AAI with Degree of Reliance "Advanced"**+
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf">
Line 138: Line 137:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degree of Reliance "Advanced" + "Basic"and eduGAIN**+**All productive IdPs in DFN-AAI and in eduGAIN**
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf">
Line 144: Line 143:
 </SSO> </SSO>
 </file> </file>
 +
 +{{tag>idp4 tutorial discovery production metadata wayf}}
  • Last modified: 5 years ago