Procedure
The procedure for connecting to SURFconext as an IDP that is not already part of the SURFfederatie, is:
- Send an email to surfconext-beheer@surfnet.nl requesting that your IDP is added to SURFconext
- Your request will be evaluated
- When your request is accepted by SURFconext, send the necessary information described below to surfconext-beheer@surfnet.nl
- SURFconext will add you as an IDP and will notify you when this is completed
- Testing?
Necessary information
When a SURFnet institution wants to connect to SURFconext as an IDP, the following information needs to be provided by the institution:
- IDP SAML2 metadata. The IDP metadata should at least contain the following information:
- SingleSignOnService element with Binding and Location
- x509 certificate that is used for signing messages - Extra information describing your institution:
NOTE: all fields marked with a * are mandatory
Information |
Example value |
Description |
|---|---|---|
url * |
The URL of the institution (usually points to the institutions homepage) |
|
organization:OrganizationName:nl * |
Universiteit van Monnickendam |
Dutch name of the organisation running the IDP |
organization:OrganizationName:en * |
University of Monnickendam |
English name of the organisation running the IDP |
organization:OrganizationDisplayName:nl * |
Universiteit van Monnickendam |
Dutch name suitable for display purposes of the organisation running the IDP |
organization:OrganizationDisplayName:en * |
University of Monnickendam |
English name suitable for display purposes of the organisation running the IDP |
logo * |
universiteitvanmonnickendam.gif |
The logo of the IDP that users who want to login will recognize as representing their institution. Logo format should be delivered in GIF, JPG or PNG format with a maximum size of 108 x 48 pixels (width x height). A URL to an image is acceptable, but this image will be copied to a SURFconext location. Any updates to this image after the IDP registration is complete will not be processed. |
logo width |
107 |
Width of the logo in pixels (maximum 108 pixels) |
logo height |
51 |
Height of the logo in pixels (maximum 48 pixels) |
logo href * |
? |
|
keywords:nl * |
universiteit monnickendam uvm |
Dutch keywords users can use when searching for a specific IDP |
keywords:en * |
universiy monnickendam uvm |
English keywords users can use when searching for a specific IDP |
Configuring SURFconext as an SP in your IdP
The following attributes are required to send to SURFconext in the SAML assertion:
- urn:mace:dir:attribute-def:uid
- urn:mace:terena.org:attribute-def:schacHomeOrganization
The following attributes are also supported:
- ...
- ...
- ...
simpleSAMLphp as IdP
Assuming your simpleSAMLphp is connected to your local LDAP you need to modify the elements by adding the urn prefix and making schacHomeOrganization available.
The following can be configured in /path/to/simplesamlphp/metadata/saml20-sp-remote.php:
$metadata['https://engine.surfconext.nl/authentication/sp/metadata'] = array (
'AssertionConsumerService' => 'https://engine.surfconext.nl/authentication/sp/consume-assertion',
'authproc' => array(
/* add schacHomeOrganization attribute */
10 => array(
'class' => 'core:AttributeAdd',
'schacHomeOrganization' => 'frkosp.wind.surfnet.nl',
),
/* add the 'urn' prefix to all supported attributes (if available from LDAP) */
20 => array(
'class' => 'core:AttributeMap',
'uid' => 'urn:mace:dir:attribute-def:uid',
'sn' => 'urn:mace:dir:attribute-def:sn',
'givenName' => 'urn:mace:dir:attribute-def:givenName',
'cn' => 'urn:mace:dir:attribute-def:cn',
'displayName' => 'urn:mace:dir:attribute-def:displayName',
'mail' => 'urn:mace:dir:attribute-def:mail',
'eduPersonPrincipalName' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName',
'eduPersonEntitlement' => 'urn:mace:dir:attribute-def:eduPersonEntitlement',
'eduPersonAffiliation' => 'urn:mace:dir:attribute-def:eduPersonAffiliation',
'schacHomeOrganization' => 'urn:mace:terena.org:attribute-def:schacHomeOrganization',
),
),
);