Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======= Production Environment ======= After an IdP/AA or SP has successfully passed the functional tests within the Test Federation (and all other requirements are met), the instance in question can be transferred to the production environment in two steps. **NB:** Please note that the path names in the examples below refer to a Shibboleth installation under Debian GNU/Linux and have to be modified according to the actual local environment! ===== 1. Metadata Administration Tool ===== Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set(s) that is considered to fit best the needs for productive operations, i.e. at least DFN-AAI and - if applicable - eduGAIN. The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team. {{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}} ===== 2. Configuration Changes ===== In order to be able to communicate with other entities in the production environment, the configuration of the IdP/AA or SP has to be adjusted accordingly. ===== MetadataProvider ===== **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. **SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment. **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment. The page [[en:metadata|Metadata]] gives an overview of the available metadata sets/aggregates. | ^ IdP / AA ^ SP ^ ^ DFN-AAI | ''dfn-aai-sp-metadata.xml'' | ''dfn-aai-idp-metadata.xml'' | ^ eduGAIN | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | ^ Local Metadata | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml''* | (* Please refer to the remarks and **examples** at [[de:metadata_local|Local Metadata]]) ==== IdP Example ==== **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** **DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de). For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: <file xml ./conf/metadata-providers.xml> <?xml version="1.0" encoding="UTF-8"?> <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:security="urn:mace:shibboleth:2.0:security" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> <!-- Metadata of all SPs in DFN-AAI production environment --> <MetadataProvider id="DFN_AAI" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml" metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/etc/ssl/aai/dfn-aai.pem"/> </MetadataProvider> <!-- Metadata of all SPs in eduGAIN--> <MetadataProvider id="DFN_AAI_eduGAIN" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml" metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/etc/ssl/aai/dfn-aai.pem"/> </MetadataProvider> </MetadataProvider> </file> ==== SP Example ==== <callout type="danger" title="Important note: Make sure that redirectLimit is set to the value 'host' or 'exact'!"> Please make sure that in **''shibboleth2.xml''** in all **''<Sessions>''** elements the XML attribute **''redirectLimit''** - is set and - has the value **''host''** or **''exact''**! (if necessary in combination with ''allow'') This measure prevents the possible open redirect misuse of the SP e.g. in the context of a phishing attack, cf. https://shibboleth.atlassian.net/browse/SSPCPP-714. For more information on the configuration parameters of the ''<Sessions>'' element see the [[https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions|Shibboleth Wiki]]. </callout> **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** Communication with all productive IdPs in DFN-AAI as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): <file xml /etc/shibboleth/shibboleth2.xml> <MetadataProvider type="XML" uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> </MetadataProvider> <MetadataProvider type="XML" uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml" backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> <MetadataFilter type="Exclude" matcher="EntityAttributes"> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue> </saml:Attribute> </MetadataFilter> </MetadataProvider> </file> \\ ===== Discovery Service ===== ==== Embedded Discovery Service ==== In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP. ==== Central Discovery Service ==== In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). ===Examples for Shibboleth SP=== **Local IdP only** <file xml /etc/shibboleth/shibboleth2.xml> <SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth"> SAML2 </SSO> </file> **All productive IdPs in DFN-AAI** <file xml /etc/shibboleth/shibboleth2.xml> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> SAML2 </SSO> </file> **All productive IdPs in DFN-AAI and in eduGAIN** <file xml /etc/shibboleth/shibboleth2.xml> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> SAML2 </SSO> </file> {{tag>idp4 tutorial discovery production metadata wayf}} idp4 tutorial discovery production metadata wayf Last modified: 2 years ago Log In