You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Version 1.0, last edited 12 February 2012

SURFnet operates a hub-and-spoke identity federation (SURFconext) on behalf of educational and research institutions in the Netherlands.

This document describes the Registration practices for both Identity Providers and Service Providers, as well as information on metadata aggregation for EduGAIN.

1. Identity Provider Practices

1.1    Identity Provider Registration Practices
Only institutions that belong to the SURFnet target group may join SURFnet and thus join SURFconext. The SURFnet target group consists of:

  • Research universities
  • University hospitals and tertiary medical teaching hospitals (STZs)
  • Hogescholen (i.e. “universities of applied sciences”)
  • Research institutes and comparable institutions
  • Company R&D departments
  • Libraries
  • Other institutions financed by the Dutch Ministry of Education, Culture and Science.

For an Identity Provider to join the SURFconext, the following requirements must be met:

  • The institution must have signed the SURFconext Identity Provider contract.
  • The institution must have passed technical validation to the SURFconext test environment.
  • The institution must provide technical and administrative contact information.

SURFnet operates an opt-in model for institutions, where the institution must agree explicitly to be connected to a specific Service Provider and to release attributes to this specific Service Provider.

1.2    Identity Provider Registration Practices for eduGAIN
There are no additional eduGAIN practices for Identity Providers.

2 Service Provider Practices

2.1    Service Provider Registration Practices
For a Service Provider to join the SURFconext, the following requirements must be met:

  • The Service Providers must have signed the SURFconext Service Provider contract.
  • The Service Provider must provide SURFconext with a description of the service.
  • The Service Provider must provide SURFconext with a description of the technical and administrative contact details.
  • The Service Provider must provide SURFconext with the list of minimally required attributes for using the service.

2.2    Service Provider Registration Practices for eduGAIN
The practices below are in addition to the “Service Provider Registration Practices above.

  • SURFnet will only publish metadata to eduGAIN for Service Providers that are connected to the SURFconext production environment.
  • The Service Provider must explicitly request to connect to eduGAIN through SURFconext.
  • The Service Provider must provide eduGAIN compliant SAML 2.0 metadata to SURFconext.
  • The metadata provided by the Service Provider that is re-published by SURFconext to eduGAIN is updated by the SURFconext operational team by request of the Service Provider. Service Providers can request an update of their metadata by contacting the SURFconext operational team at support@surfconext.nl.

SURFnet validates the Service Provider information including the attribute requirements, before accepting the Service Provider to the production environment.

3.    SURFnet Metadata Aggregate for eduGAIN
SURFnet maintains an aggregate of all metadata it exposes to eduGAIN on the following location:

https://wayf.surfnet.nl/metadata/edugain/downstream.xml

The metadata document signature can be validated using the following X.509 certificate:

-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIJANm7yUGYaeG1MA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
BAYTAk5MMRAwDgYDVQQKEwdTVVJGbmV0MREwDwYDVQQLEwhTZXJ2aWNlczEZMBcG
A1UEAxMQRmVkZXJhdGllIEJlaGVlcjEqMCgGCSqGSIb3DQEJARYbZmVkZXJhdGll
LWJlaGVlckBzdXJmbmV0Lm5sMB4XDTA4MDYwNTE1MDgyMVoXDTIzMDYwMjE1MDgy
MVoweTELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB1NVUkZuZXQxETAPBgNVBAsTCFNl
cnZpY2VzMRkwFwYDVQQDExBGZWRlcmF0aWUgQmVoZWVyMSowKAYJKoZIhvcNAQkB
FhtmZWRlcmF0aWUtYmVoZWVyQHN1cmZuZXQubmwwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/x+YuMaHyS3xeogfBB6hWrL4Frp+KzOuu4IixfhMHz3xI
G5l7p2aNV8UrEXevOwMWCgMNxjfSLdZBgNhR14GBh2cVGCx9f/wUtB86scmkP3Pr
RLoZWu/EIY6MEbgET3D3tkdGuVejQwwhJTlK2xxWHtEdEL5abjYLveDg6Lb6z9od
ljFevylBMZO+5LwTjpa3+B+07oMZr2sV1yjsG2BEBwTFz4XZzJAabeK9UO836qhN
ptktjffoCNen33tNCjzqci4wzgQef3CNA/Ef0tMKGotdldKC6FtHvXixmVY5RKUK
Iutm8sRwne8XYqrD54BAgXZQ0ZovxFbvGhA77YXxAgMBAAGjgd4wgdswHQYDVR0O
BBYEFJNoYjIYUrDN/h1+9BZYOTk7jQBNMIGrBgNVHSMEgaMwgaCAFJNoYjIYUrDN
/h1+9BZYOTk7jQBNoX2kezB5MQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VSRm5l
dDERMA8GA1UECxMIU2VydmljZXMxGTAXBgNVBAMTEEZlZGVyYXRpZSBCZWhlZXIx
KjAoBgkqhkiG9w0BCQEWG2ZlZGVyYXRpZS1iZWhlZXJAc3VyZm5ldC5ubIIJANm7
yUGYaeG1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAI4IxrYPwwjJ
D9gO1Vzt8ByeQaRe+V0Mv5Ox9RlcXV33WX8Ny8hqUS4/kjs9v7JOuOw7TRop/4QJ
IAv/LEXH9B+hQ96zdLGMCcHI2crWF8l0yZ/DtgkpdlcyS7dNbjLtedtmgrOMSQub
LE02tqoSUR491mQbRuXD49+kJsHXZH8I1YZqOShzPZ7+ksvnBd64txhef8OBlCzE
elT60nOC3Jm8k3i0HwPcCYfDrh6+MJfC2dvfgktAcyu8rm1Q/ZelxaaXok17wUKg
D8nDrVCOfTND1RCGcqJ3YVjYDhBrMdK+5NSuC5KOJUpVZbKgTOilnOM7B/Os8HJC
fxLkDyGV/oQ=
-----END CERTIFICATE-----
  • No labels