• Created by Unknown User (surfguest.peterclijsters), last modified by Unknown User (urn:collab:person:surfnet.nl:eefje) on Thu 20 Dec 2012

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

Procedure

The procedure for connecting to SURFconext as an IdP is as follows:

  1. Request that your IdP is added to SURFconext by sending an email to surfconext-beheer@surfnet.nl
  2. Your request will be evaluated
  3. When your request is accepted by SURFconext, send the necessary information (see below) to surfconext-beheer@surfnet.nl
  4. Add the SURFconext metadata to your IdP configuration.
  5. SURFconext will add you as an IdP and will notify you when this is done
  6. Verify correct configuration by logging in to an SP
  7. Have the status of your IdP changed to production by emailing surfconext-beheer@surfnet.nl

Necessary information

When a SURFnet institution wants to connect to SURFconext as an IdP, the following information needs to be provided by the institution:

  1. IdP SAML2 metadata. The IdP metadata should at least contain the following information:
    • SingleSignOnService element with Binding and Location
    • x509 certificate that is used for signing messages
  2. Extra information describing your institution, fields marked with a * are mandatory:

Information

Example value

Description

url *

http://www.uvm.nl

The URL of the institution (usually points to the institutions homepage)

organization:OrganizationName:nl *

Universiteit van Monnickendam

Dutch name of the organisation running the IdP

organization:OrganizationName:en *

University of Monnickendam

English name of the organisation running the IdP

organization:OrganizationDisplayName:nl * 

Universiteit van Monnickendam

Dutch name suitable for display purposes of the organisation running the IdP

organization:OrganizationDisplayName:en *

University of Monnickendam

English name suitable for display purposes of the organisation running the IdP

logo *

universiteitvanmonnickendam.gif

The logo of the IdP that users who want to login will recognize as representing their institution. Logo format should be delivered in GIF, JPG or PNG format with a maximum size of 108 x 48 pixels (width x height). A URL to an image is acceptable, but this image will be copied to a SURFconext location. Any updates to this image after the IdP registration is complete will not be processed.

logo width

107

Width of the logo in pixels (maximum 108 pixels)

logo height

51

Height of the logo in pixels (maximum 48 pixels)

keywords:nl *

universiteit monnickendam uvm

Dutch keywords users can use when searching for a specific IdP

keywords:en *

universiy monnickendam uvm

English keywords users can use when searching for a specific IdP

Configuring SURFconext as an SP in your IdP

The following attributes are required to send to SURFconext in the SAML assertion:

  1. urn:mace:dir:attribute-def:uid
  2. urn:mace:terena.org:attribute-def:schacHomeOrganization

The following attributes are also supported, and may be useful to service providers (and SURFconext itself) as well:

  1. urn:mace:dir:attribute-def:displayName
  2. urn:mace:dir:attribute-def:mail

Using simpleSAMLphp as IdP

Assuming your simpleSAMLphp is connected to your local LDAP you need to modify the elements by adding the urn prefix and making schacHomeOrganization available.

The following can be configured in metadata/saml20-sp-remote.php, make sure to replace schacHomeOrganization with your institute's domain:

$metadata['https://engine.surfconext.nl/authentication/sp/metadata'] = array (
  'AssertionConsumerService' =>  'https://engine.surfconext.nl/authentication/sp/consume-assertion',
  'authproc' => array(
    /* add schacHomeOrganization attribute */
    10 => array(
      'class' => 'core:AttributeAdd',
      'schacHomeOrganization' => 'frkosp.wind.surfnet.nl',
    ),
    /* add the 'urn' prefix to all supported attributes (if available from LDAP) */
    20 => array(
      'class' => 'core:AttributeMap',
      'uid'                    => 'urn:mace:dir:attribute-def:uid',
      'sn'                     => 'urn:mace:dir:attribute-def:sn',
      'givenName'              => 'urn:mace:dir:attribute-def:givenName',
      'cn'                     => 'urn:mace:dir:attribute-def:cn',
      'displayName'            => 'urn:mace:dir:attribute-def:displayName',
      'mail'                   => 'urn:mace:dir:attribute-def:mail',
      'eduPersonPrincipalName' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName',
      'eduPersonEntitlement'   => 'urn:mace:dir:attribute-def:eduPersonEntitlement',
      'eduPersonAffiliation'   => 'urn:mace:dir:attribute-def:eduPersonAffiliation',
      'schacHomeOrganization'  => 'urn:mace:terena.org:attribute-def:schacHomeOrganization',
    ),
  ),
);

In order to provide more details about your IdP, below is an example snippet that can be added to metadata/saml20-idp-hosted.php:

        'UIInfo' => array(
            'DisplayName' => array(
                'en' => 'University of Monnickendam',
            ),
            'Description' => array(
                'en' => 'An IdP operated by University of Monnickendam',
            ),
            'Keywords' => array(
                'en' => array('universiteit','monnickendam', 'uvm'),
            ),
            'Logo' => array(
                array(
                    'url'    => 'http://www.uvm.nl/universiteitvanmonnickendam.gif',
                    'height' => 51,
                    'width'  => 107,
                ),
            ),
       ),
  • No labels