Nelson Mandela Metropolitan University and the University of Cape Town have both recently signed the Participation Agreement and join SAFIRE as full participants.
UCT has further completed technical integration as an identity provider and thus becomes the first South African university to be able to benefit from SAFIRE’s membership of eduGAIN.
eduGAIN logo
The eduGAIN steering group voted last week to admit the South African Identity Federation, SAFIRE, as its 41st member and the first fully participating member from Africa.
In simple terms, eduGAIN it is the web equivalent of the eduroam wireless roaming service — it is an academic inter-federation with 41 member countries from around the world. South Africa’s membership of eduGAIN will provide local academics and researchers with an easy way to log into over a thousand participating services worldwide using their home organisation’s username and password. Federated identity services play an increasingly critical role in facilitating access to big science projects, and so South Africa’s participation in this space is an important milestone towards allowing South African scientists to collaborate in international research.
…
SAFIRE has its first few formal signatories to the new Participation Agreement, ushering in the next phase of the South African Identity Federation. Stellenbosch University became the first university (and identity provider) to sign, and the Square Kilometer Array South Africa became the first major South African service provider. In addition, Kivuto Inc became the first non-South African organisation to join as a service provider. We welcome all three to SAFIRE, and the start of what we hope is a long and fruitful relationship.
…
As a hub-and-spoke identity federation, SAFIRE directly handles the personal information of users. Recognising that security is a key concern, an external vulnerability assessment of SAFIRE’s publicly-visible infrastructure was recently undertaken by the SANReN Computer Security Incident Response Team (CSIRT). The purpose of this assessment was to ensure that SAFIRE’s web servers complied with best practices and to try and preemptively mitigate any security problems.
The resulting report raised a number of relatively minor concerns. As far as is practical, these have all been addressed — either by actively identifying the finding as a false positive (expected behaviour) or by altering configurations to remediate the problem. Some of the CSIRT findings resulted in patches being submitted back to the original software projects, allowing others to benefit from our discoveries.
…
Identity provider proxies allow the hub-and-spoke federation to appear as a full mesh, at least for the purposes of IdP discovery. This means that service providers can make use of local discovery and see a list of individual SAFIRE identity providers rather than seeing a single entry for the whole federation.
In turn, this eliminates the “double discovery” problem for service providers that use local discovery to select amongst a number of different federations (e.g. sites that use DiscoJuice or derivatives). Instead of clicking through two discovery interfaces (local to select the federation, central to select the IdP), end users can select their identity provider directly at the SP.
…
To emphasise it’s South African heritage, SAFIRE’s federation hub uses the name iziko within its entity ID and as a publicly visible website address. While it’s not expected that many of SAFIRE’s users will notice this, it is worth explaining the origin of the hub’s name — particularly for those outside of South Africa who may view it in metadata.
…
To aid providers in preparing new metadata for the transition, we’ve developed a simple online SAML metadata validation tool. This tool applies very similar rules to SAFIRE’s metadata aggregator. The tool is not intended to be normative (we may accept metadata that the validator finds problematic or vice versa). Instead it is intended to allow providers to get early feedback on potential problems with their metadata.
You can access the metadata validator at https://validator.safire.ac.za/.
…
Metadata is the basis of trust in any federation, and this makes the key management practices for metadata signing particularly important.
In response to suggestions from other federation operators, we’ve decided to try and get this “right” from the beginning — at least as far is actually practical for a small federation in its early stages. And “right” means that we should store our metadata signing key in some form of hardware security module.
…
SAFIRE is in the process of transitioning, both in architecture (from full-mesh to hub-and-spoke) and governance (from the SCA to TENET). The purpose of this post is to provide more detail on the transitional arrangements.
…