Versions Compared

Old Version 8

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

compared with

New Version 9

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Be sure that your service is configured in SURFconext (Production or Test environment).
  2. Request a SAML 2.0 metadata file with all IdPs that have been coupled with your service (https://engine.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=SP-ENTITY-ID: replace SP-ENTITY-ID with your EntityID as found in your metadata).
  3. You will receive an actual list of (1) your own Service Provider metadata and (2) metadata of all IdPs that have have been coupled with your service.
  4. Configure the metadata into your Service Provider directly or use it (e.g. with Xpath) to extract the Display names and SSO locations of the IdPs to present in your WAYF.
    For any IdP the SSO location points to a SURFconext endpoint, but with a specific identifier at the end. This identifier instructs SURFconext to forward the authentication request to the requested IdP.

Example of the metadata file:

Code Block
languagexml
titleExample of a metadata file
<?xml version="1.0"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:2.0:metadata:ui" ID="CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>L8ANkHPH4msXsIUFptAMeNTuMzQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSE6aUY74Y1P/B6ZDY4s6F3AEpCv0t/z9fyyhUmPZctfshkiyK53vz8lKfmgiUlOk2c4+dXVPlVQqzeVgW2lDKycdWhkjSQnybBNPrBYlvlEPMJHO4p83IEOMGXh7yS6a8OjNc9qLTikVQnxwfV3xAZGxZ0AZVSJM9WhkqRMJGAK7xMcttM77cIy06ZRpNDb5e36Fb6dLHHAJ3JICd9CEHqdP3WKB2rO2wDGxrkIx/6ynnM1YCFbWvpGU+dGT6/r7YTU9q89UdU2cYMTP1t4KSl/BOMJflnwlAEmFxcxn4FGKny9cRpzhu0nvmtk02cK8T/pYboWWEqG6ooTIEM3Yw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:EntityDescriptor validUntil="2012-05-31T22:00:00Z" entityID="https://test.test.nl"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://engine.surfconext.nl/authentication/sp/consume-assertion/7f301d787aa6ea235a8b86434d39aa41" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
<md:EntityDescriptor validUntil="2012-06-01T10:36:28Z" entityID="http://www.surf.nl/test"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:Extensions><mdui:DisplayName xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:DisplayName xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:Description xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Description xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Logo height="60" width="120">https://wayf.surf.nl/federate/surfnet/img/logo/surfnet.png</mdui:Logo><mdui:Keywords xml:lang="en">SURFNET</mdui:Keywords><mdui:Keywords xml:lang="nl">SURFNET</mdui:Keywords></md:Extensions><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://engine.surfconext.nl/authentication/idp/single-sign-on/dedd75c2157a751113666d7888b2f2cd"/></md:IDPSSODescriptor></md:EntityDescriptor>

...