Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:production [2017/06/15 21:51] Wolfgang Pempeen:production [2023/01/12 19:38] (current) Wolfgang Pempe
Line 3: Line 3:
 After an IdP/AA or SP has successfully passed the functional tests within the Test Federation (and all other requirements are met), the instance in question can be transferred to the production environment in two steps. After an IdP/AA or SP has successfully passed the functional tests within the Test Federation (and all other requirements are met), the instance in question can be transferred to the production environment in two steps.
  
-**NB:** Please note that the path names in the examples below refer to a Shibboleth installation under Debian GNU/Linux and must be modified according to the actual local environment!+**NB:** Please note that the path names in the examples below refer to a Shibboleth installation under Debian GNU/Linux and have to be modified according to the actual local environment!
  
 ===== 1. Metadata Administration Tool ===== ===== 1. Metadata Administration Tool =====
  
-Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[https://www.aai.dfn.de/en/der-dienst/degrees-of-reliance/|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the entity will be unlocked.+Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set(s) that is considered to fit best the needs for productive operations, i.eat least DFN-AAI and if applicable eduGAIN. The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team.
  
 +{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
 ===== 2. Configuration Changes ===== ===== 2. Configuration Changes =====
  
Line 17: Line 18:
 **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]].
  
-**SP Operators** decide which [[https://www.aai.dfn.de/en/der-dienst/degrees-of-reliance/|Degree of Reliance]] an IdP mindestens angehören muss, damit dessen User auf den SP zugreifen dürfen, indem Sie entweder ''dfn-aai-metadata.xml'' oder ''dfn-aai-basic-metadata.xml'' einbinden. Bei ersterem haben nur Nutzer von IdPs Zugriff auf den betreffenden Dienst, welche die Kriterien der Verlässlichkeitsklasse "Advanced" erfüllen, bei letzterem zusätzlich auch Nutzer von IdPs, die nur die Kriterien der Klasse "Basic" erfüllen. (IdPs der Verlässlichkeitsklasse "Advanced" werden darum sowohl in den "Advanced"-Metadaten als auch in den "Basic"-Metadaten registriert).+**SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment.
  
-**IdP Operators** binden den Metadatensatz ein, der alle produktiven SP der DFN-AAI enthält.+**IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment.
  
 The page [[en:metadata|Metadata]] gives an overview of the available metadata sets/aggregates. The page [[en:metadata|Metadata]] gives an overview of the available metadata sets/aggregates.
  
 |                   ^ IdP / AA                            ^ SP                                   ^ |                   ^ IdP / AA                            ^ SP                                   ^
-Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             +DFN-AAI          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-idp-metadata.xml''             |
-^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   | +
-^ Advanced + Basic  | --                                  | ''dfn-aai-basic-metadata.xml''       |+
 ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' |
 ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' | ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' |
Line 32: Line 31:
  
 ==== IdP Example ==== ==== IdP Example ====
-**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]].+**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** 
 + 
 +**DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de).
  
 For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**:
Line 53: Line 54:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
          
Line 63: Line 64:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
  
Line 74: Line 75:
 ==== SP Example ==== ==== SP Example ====
  
-Communication with all productive IdPs in DFN-AAI (Degree of Reliance Adavanced and Basic) as well as all IdPs from eduGAIN - except the "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):+<callout type="danger" title="Important note: Make sure that redirectLimit is set to the value 'host' or 'exact'!"> 
 +Please make sure that in **''shibboleth2.xml''** in all **''<Sessions>''** elements the XML attribute **''redirectLimit''**  
 +  - is set and 
 +  - has the value **''host''** or **''exact''**! (if necessary in combination with ''allow''
 +This measure prevents the possible open redirect misuse of the SP e.g. in the context of a phishing attack, cf. https://shibboleth.atlassian.net/browse/SSPCPP-714.  
 +For more information on the configuration parameters of the ''<Sessions>'' element see the [[https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions|Shibboleth Wiki]]. 
 +</callout> 
 + 
 +**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** 
 + 
 +Communication with all productive IdPs in DFN-AAI as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):
  
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" +      uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" 
-      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> +      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> 
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="EntityRoleWhiteList"> +
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> +
-    </MetadataFilter>+
 </MetadataProvider> </MetadataProvider>
  
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+      uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /> +   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> 
-   <MetadataFilter type="Blacklist" matcher="EntityAttributes">+   <MetadataFilter type="Exclude" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"         <saml:Attribute Name="http://macedir.org/entity-category" 
              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
Line 96: Line 104:
        </saml:Attribute>        </saml:Attribute>
    </MetadataFilter>    </MetadataFilter>
-   <MetadataFilter type="EntityRoleWhiteList"> 
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> 
-    </MetadataFilter> 
 </MetadataProvider> </MetadataProvider>
 </file> </file>
 +
 +\\
  
 ===== Discovery Service ===== ===== Discovery Service =====
-Bei einem **Shibboleth SP** wählt man entsprechend der benötigten Verlässlichkeitsklasse den URL zum DS-Server, sofern kein lokaler bzw. [[de:shibeds|Embedded Discovery Service]] verwendet wird. Bei SPs, die nur innerhalb der Einrichtung betrieben werden ("lokale SPs"), sollte die Entity ID des IdP der Einrichtung referenziert werden (siehe auch unter [[de:metadata_local|Local Metadata]]). 
  
-**Local SP**+==== Embedded Discovery Service ==== 
 + 
 +In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP. 
 + 
 +==== Central Discovery Service ==== 
 + 
 +In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized 
 +discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). 
 + 
 + 
 +===Examples for Shibboleth SP=== 
 + 
 +**Local IdP only**
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth"> <SSO entityID="https://idp.beispiel-uni.de/idp/shibboleth">
Line 112: Line 130:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degrees of Reliance "Advanced" + "Basic")** +**All productive IdPs in DFN-AAI**
-<file xml /etc/shibboleth/shibboleth2.xml> +
-<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Basic/wayf"> +
-    SAML2 +
-</SSO> +
-</file> +
- +
-**All IdPs in DFN-AAI with Degree of Reliance "Advanced"**+
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI/wayf">
Line 126: Line 137:
 </file> </file>
  
-**All productive IdPs in DFN-AAI (Degree of Reliance "Advanced" + "Basic"and eduGAIN**+**All productive IdPs in DFN-AAI and in eduGAIN**
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf"> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf">
Line 132: Line 143:
 </SSO> </SSO>
 </file> </file>
 +
 +{{tag>idp4 tutorial discovery production metadata wayf}}
  • Last modified: 7 years ago