In our ongoing work to integrate library journal and platform providers, it has become apparent that we need to support the eduPersonEntitlement attribute. Support for this attribute has therefore been added to the Federation hub, as well as the test identity and service providers.
At 00:00 SAST on 1 August 2017, the remaining entities in the old metadata aggregate at
will expire. Any provider who still has mention of the above URL in their configuration should remove it, as it will not be supported beyond the end of the month. Continue reading End of SAFIRE transition period
The University of Cape Town recently became the first SAFIRE identity provider to complete a self-assessment and express its compliance with the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). This makes SAFIRE the 16th federation worldwide to assert a Sirtfi-compliant IdP. Continue reading UCT complies with Sirtfi
Testing an Identity Provider
The most obvious way to test an Identity Provider is to make use of SAFIRE’s Test Service Provider (https://testsp.safire.ac.za/). This SP is always aware of SAFIRE’s full attribute set and emulates a locally connected SP. By logging in, Identity Provider administrators are able to test their integration with SAFIRE as well as their own attribute release. (Likewise, end users can use it to see what attributes their home institution releases about them.)
By logging in, Identity Provider administrators are able to test their integration with SAFIRE as well as their own attribute release. Likewise, end users can use it to see what attributes their home institution releases about them.
You may also want to test how your Identity Provider looks outside of SAFIRE. This the following are equivalent test service providers available from other federations in eduGAIN:
Each of the above should allow SAFIRE identity providers that have not opted out of eduGAIN to log in, and will show you what attributes are released. Note that the attribute release will be a subset of SAFIRE’s attributes, as defined by our attribute release policy.
Testing a Service Provider
In order to allow Service Providers to test their service works correctly within SAFIRE, we’ve created the SAFIRE Test Identity Provider (https://testidp.safire.ac.za/). This is a limited use IdP that allows the registered contacts for a service to create accounts that only work with their service (you need to have access to the technical or support contact email to generate accounts).
The Test IdP creates several different accounts with predefined profiles representing the different user types (academic staff, students, administrative staff) you might find at a typical South African institution. Service Provider administrators can see what attributes are available for each profile by choosing the “show account details” links once you’ve generated accounts. However, you should be aware that the attributes received by your Service Provider will depend on the attribute release policy that applies to it.
The SAFIRE Test Identity Provider is a local instance of the eduGAIN Access Check software and is registered within the SAFIRE Federation just as other South African identity providers are. It is not available within eduGAIN.
The eduGAIN Access Check identity provider is registered by Fédération Éducation-Recherche in France, and thus can be used by SAFIRE service providers who’ve opted into eduGAIN to further check their integration with eduGAIN is working correctly and that users from other federations will be able to log in. It provides a slightly different set of user profiles to the SAFIRE instance, reflecting the many different user types around the world.
As a courtesy, we monitor the reachability of the various South African identity providers and make that information available at monitor.safire.ac.za.
The monitoring system initiates a single sign-on request, and reports the outcome as follow:
- Green means that we completed all the tests and found something that looked like a login page.
- Yellow means that we got as far as what we think should be a login page, but didn’t find a username field on it. The institution’s own monitoring or I.T. help desk may be able to provide more information.
- Red means that we weren’t able to contact the identity provider for some reason. This could be because there’s a network problem or that the there’s some problem with the identity provider (service not running, certificates expired, metadata expired, etc).
The monitoring output shows the hosts we passed through on the way to what we believe is the login page. It may also give details of any problem(s) that were encountered.
The SAFIRE transition plan has been updated to set an explicit end-of-life for the deprecated full-mesh federation. All existing identity providers within the full-mesh metadata will expire shortly after midnight on 1 July 2017.
Service provider entities will remain for a bit longer, and decision to expire them will be based on the volume of logins we see through the transitional hub provider. However, the target date for this is 31 July 2017.
The African Research Cloud, a joint project of UCT, UWC and NWU, has joined SAFIRE as a service provider.
The Council for Scientific and Industrial Research (CSIR) has signed the Participation Agreement and joined SAFIRE as a full participant. The SANReN Competency Area at the CSIR incubated the SAFIRE project for several years, and we are delighted to formally welcome them into the Federation that they were so integral in establishing.
UCT has further completed technical integration as an identity provider and thus becomes the first South African university to be able to benefit from SAFIRE’s membership of eduGAIN.