This is an old revision of the document!

Production Environment

After an IdP/AA or SP has successfully passed the functional tests within the Test Federation (and all other requirements are met), the instance in question can be transferred to the production environment in two steps.

NB: Please note that the path names in the examples below refer to a Shibboleth installation under Debian GNU/Linux and must be modified according to the actual local environment!

1. Metadata Administration Tool

Using the Metadata Admin Tool (entity edit view, section “Federations”), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. Degrees of Reliance). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the entity will be unlocked.

2. Configuration Changes

In order to be able to communicate with other entities in the production environment, the configuration of the IdP/AA or SP has to be adjusted accordingly.

MetadataProvider

NB: As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to Metadata.

SP Operators decide which Degree of Reliance an IdP mindestens angehören muss, damit dessen User auf den SP zugreifen dürfen, indem Sie entweder dfn-aai-metadata.xml oder dfn-aai-basic-metadata.xml einbinden. Bei ersterem haben nur Nutzer von IdPs Zugriff auf den betreffenden Dienst, welche die Kriterien der Verlässlichkeitsklasse “Advanced” erfüllen, bei letzterem zusätzlich auch Nutzer von IdPs, die nur die Kriterien der Klasse “Basic” erfüllen. (IdPs der Verlässlichkeitsklasse “Advanced” werden darum sowohl in den “Advanced”-Metadaten als auch in den “Basic”-Metadaten registriert).

IdP Operators binden den Metadatensatz ein, der alle produktiven SP der DFN-AAI enthält.

The page Metadata gives an overview of the available metadata sets/aggregates.

IdP / AA SP
Advanced dfn-aai-sp-metadata.xml dfn-aai-metadata.xml
Basic dfn-aai-sp-metadata.xml
Advanced + Basic dfn-aai-basic-metadata.xml
eduGAIN dfn-aai-edugain+sp-metadata.xml dfn-aai-edugain+idp-metadata.xml
Local Metadata dfn-aai-local-999-metadata.xml* dfn-aai-local-999-metadata.xml*

(* Please refer to the remarks and examples at Local Metadata)

IdP Example

DFN-AAI: Cf. Federation Metadata.

For participation in eduGAIN, the entity must consume a separate metadata set in addition to the DFN-AAI federation metadata:

./conf/metadata-providers.xml
<?xml version="1.0" encoding="UTF-8"?>
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:resource="urn:mace:shibboleth:2.0:resource"
    xmlns:security="urn:mace:shibboleth:2.0:security"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
 
    <!-- Metadata of all SPs in DFN-AAI production environment -->
    <MetadataProvider id="DFN_AAI"
                  xsi:type="FileBackedHTTPMetadataProvider"
                  backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml"
                  maxRefreshDelay="PT2H">
            <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>
    </MetadataProvider>
 
    <!-- Metadata of all SPs in eduGAIN-->
    <MetadataProvider id="DFN_AAI_eduGAIN"
                  xsi:type="FileBackedHTTPMetadataProvider"
                  backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"
                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml"
                  maxRefreshDelay="PT2H">
            <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>
    </MetadataProvider>
 
</MetadataProvider>

SP Example

Communication with all productive IdPs in DFN-AAI (Degree of Reliance Adavanced and Basic) as well as all IdPs from eduGAIN - except the “Self-Signup” IdPs (cf. also Entity Attributes):

/etc/shibboleth/shibboleth2.xml
<MetadataProvider type="XML" 
      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml"
      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600">
   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />
   <MetadataFilter type="EntityRoleWhiteList">
       <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    </MetadataFilter>
</MetadataProvider>
 
<MetadataProvider type="XML" 
      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"
      backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />
   <MetadataFilter type="Blacklist" matcher="EntityAttributes">
       <saml:Attribute Name="http://macedir.org/entity-category" 
             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           <saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue>
       </saml:Attribute>
   </MetadataFilter>
   <MetadataFilter type="EntityRoleWhiteList">
       <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    </MetadataFilter>
</MetadataProvider>

Discovery Service

Bei einem Shibboleth SP wählt man entsprechend der benötigten Verlässlichkeitsklasse den URL zum DS-Server, sofern kein lokaler bzw. Embedded Discovery Service verwendet wird. Bei SPs, die nur innerhalb der Einrichtung betrieben werden (“lokale SPs”), sollte die Entity ID des IdP der Einrichtung referenziert werden (siehe auch unter Local Metadata).

Local SP

/etc/shibboleth/shibboleth2.xml
<SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth">
   SAML2 
</SSO>

All productive IdPs in DFN-AAI (Degrees of Reliance “Advanced” + “Basic”)

/etc/shibboleth/shibboleth2.xml
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Basic/wayf">
    SAML2
</SSO>

All IdPs in DFN-AAI with Degree of Reliance “Advanced”

/etc/shibboleth/shibboleth2.xml
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf">
    SAML2
</SSO>

All productive IdPs in DFN-AAI (Degree of Reliance “Advanced” + “Basic”) and eduGAIN

/etc/shibboleth/shibboleth2.xml
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf">
    SAML2
</SSO>
  • Last modified: 7 years ago