Search

Skip to end of metadata
Go to start of metadata

OpenAthens Keystone will make the configuration of SAML and the OpenAthens federation easy, but you will still need to become part of any other access management federation where you want to interact with your customers - e.g. universities and colleges who are only in their own national federations.

Since all the other federations are national research and education network (NREN) based, your best first step is to join one that is part of eduGAIN as this can potentially take care of all of the other the ones you need. 

eduGAIN

eduGAIN is a collaboration between many of the national research and education federations to share metadata which means that you only have to join one of their member federations to appear in the others. Member federations can pick and choose, so it's not guaranteed you'd appear in all of them, but such choices are usually around excluding things that are country specific - e.g. the UK's student voter registration service doesn't need to appear in the Japanese federation.  

These pages from eduGAIN will tell you more:

They recommend joining the federation in your home country as that will make communication during the joining process much easier. 

If you have customers in federations that are not part of eduGAIN then you'll need to join those federations individually.

A useful way of seeing which federations have you (or your customers) in their metadata is to use REFED's metadata explorer:

Methods

The exact method of joining a federation can vary, but those variables are generally about how you apply and what information they want - e.g. some will want a formal letter on headed paper, some may want proof that you own the internet domain in your entityID, most will perform some form of procedure to confirm you are who you say you are and some will just not tell you how to register entities until you are a signed up member. This page covers the technical information you would need to supply them to register your entity, and translates some of the terminology they are likely to use. 

Terminology

TermMeansNotes
EntityThe SAML service provider
EntityIDAn identifier for the entity that is unique within a federationRead this from the connection record in the publisher dashboard.
Display nameWhat you want your service to appear as in their metadataThe published metadata uses the connection name you have set in the SP dashboard and whilst you will usually want this to match it doesn't have to.
MetadataAn XML document that describes the entity

Metadata address,

Automatically generated metadata

Where we have published your SAML metadataSee next table
Federation metadataAn aggregated set of all the entities' metadata in a federationOnce you have registered your entity in a federation, you would appear in that federations metadata. If that federation is part of eduGAIN the data can then propagate to other member federations - depending on how often they update their metadata this could take several days.

If / when they ask for...

If they ask for...Say...Notes
Metadata address

This is not yet linkable - it can be copied form the admin site (SAML connection section of the connection)

The address where your metadata can be accessed. There should not be a requirement for it to be linkable which is why we're not in any rush to make it available.
Software

OpenAthens Keystone

If you want you can describe it as generic SAML, but the endpoints will give it away
Requested attributes

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

and

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

These are the targetedID and scoped affiliation values discussed elsewhere which between them will usually be able to tell you everything you need for authorisation.

This is probably all that you need to tell them, but depending on your application you may want to specify more.

SAML versions supported

SAML 2


Certificate thumbprintRead from your connection record in the publisher dashboardIf they ask for this it is to confirm that the certificate in the metadata you sent them is correct. Hover over the certificate in the interface to read it to them.
Encryption or Signing certificatesCopy from your connection record in the publisher dashboard

They are more likely to ask for the fingerprint (above), but if they ask for this hit the next to your entityID on the connections tab and view your metadata there. Find and copy the x509 certificate from that metadata and then top / tail it with begin and end tags as below:

-----BEGIN CERTIFICATE-----
qd87h5o8a7a475... the certificate data, etc
-----END CERTIFICATE-----

See also: 

  • No labels