• Created by Unknown User (urn:collab:person:surfnet.nl:eefje), last modified on Mon 06 May 2013

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Version 1.0, last edited 12 February 2012

SURFnet operates a hub-and-spoke identity federation (SURFconext) on behalf of educational and research institutions in the Netherlands.

This document describes the Registration practices for both Identity Providers and Service Providers, as well as information on metadata aggregation for EduGAIN.

1. Identity Provider Practices

1.1    Identity Provider Registration Practices
Only institutions that belong to the SURFnet target group may join SURFnet and thus join SURFconext. The SURFnet target group consists of:

  • Research universities
  • University hospitals and tertiary medical teaching hospitals (STZs)
  • Hogescholen (i.e. “universities of applied sciences”)
  • Research institutes and comparable institutions
  • Company R&D departments
  • Libraries
  • Other institutions financed by the Dutch Ministry of Education, Culture and Science.

For an Identity Provider to join the SURFconext, the following requirements must be met:

  • The institution must have signed the SURFconext Identity Provider contract.
  • The institution must have passed technical validation to the SURFconext test environment.
  • The institution must provide technical and administrative contact information.

SURFnet operates an opt-in model for institutions, where the institution must agree explicitly to be connected to a specific Service Provider and to release attributes to this specific Service Provider.

1.2    Identity Provider Registration Practices for eduGAIN
There are no additional eduGAIN practices for Identity Providers.

2 Service Provider Practices

2.1    Service Provider Registration Practices
For a Service Provider to join the SURFconext, the following requirements must be met:

  • The Service Providers must have signed the SURFconext Service Provider contract.
  • The Service Provider must provide SURFconext with a description of the service.
  • The Service Provider must provide SURFconext with a description of the technical and administrative contact details.
  • The Service Provider must provide SURFconext with the list of minimally required attributes for using the service.

2.2    Service Provider Registration Practices for eduGAIN
The practices below are in addition to the “Service Provider Registration Practices above.

  • SURFnet will only publish metadata to eduGAIN for Service Providers that are connected to the SURFconext production environment.
  • The Service Provider must explicitly request to connect to eduGAIN through SURFconext.
  • The Service Provider must provide eduGAIN compliant SAML 2.0 metadata to SURFconext.
  • The metadata provided by the Service Provider that is re-published by SURFconext to eduGAIN is updated by the SURFconext operational team by request of the Service Provider. Service Providers can request an update of their metadata by contacting the SURFconext operational team at surfconext-beheer@surfnet.nl.

SURFnet validates the Service Provider information including the attribute requirements, before accepting the Service Provider to the production environment.

3.    SURFnet Metadata Aggregate for eduGAIN
SURFnet maintains an aggregate of all metadata it exposes to eduGAIN on the following location:

https://wayf.surfnet.nl/federate/surfnet/edugain

The metadata document signature can be validated using the following X.509 certificate:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UE
ChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5h
Lm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEy
MTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgT
Ak5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UE
CxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG
9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfd
SPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azq
KOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN
+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLz
dciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwp
l9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqj
pKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3
fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQH
EwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYD
VQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0
ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoK
h6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7D
Hg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX
47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3W
AIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZ
p7XRy85jRjrvhahg5baIQ0u3aL8aMA==
-----END CERTIFICATE-----
  • No labels