Metadata Archive

End of SAFIRE transition period

At 00:00 SAST on 1 August 2017, the remaining entities in the old metadata aggregate at https://discservice.sanren.ac.za/safire.xml will expire. Any provider who still has mention of the above URL in their configuration should remove it, as it will not be supported beyond the end of the month.

Monitoring of Identity Providers

As a courtesy, we monitor the reachability of the various South African identity providers and make that information available at monitor.safire.ac.za. The monitoring system initiates a single sign-on request, and reports the outcome as follow: Green means that we completed all the tests and found something that looked like a login page. Yellow means that we got as far as what we think should be a login page, but didn’t find a username field on it. The institution’s own monitoring or I.T. help desk may be able to provide more information. Red means that we weren’t able to contact the identity provider for some reason. This could be because there’s a network problem or that the there’s some problem with the identity provider (service not running, certificates expired, metadata expired, etc). The monitoring output shows the hosts we passed through on the way to what we believe is the login page. It may also give details of any problem(s) that were encountered.

Generating certificates for SAFIRE

Types of certificates SAML installations typically use at least two different certificates: one of the public facing portions of a website, and one to establish a private trust relationship between providers. Whilst it is possible to use the same certificate for these two roles, this is not best practice nor is it recommended. The technical requirements for identity- and service-providers definitively specify the requirements and recommendations for these two types of certificates.

Configuring G Suite (Google Apps) as an IdP for SAFIRE

G Suite for Education (formally Google Apps) includes a limited SAML identity provider. Because SAFIRE is a hub-and-spoke federation, this can be configured to work as an identity provider within SAFIRE — the federation will do the work of integrating service providers, avoiding the need to add each one individually. Note that we use G Suite’s Primary Email for eduPersonPrincipalName (and Name ID) because it corresponds to the username people log in with.

Configuring ADFS for SAFIRE

In order to configure Active Directory Federation Services (ADFS) as an identity provider for SAFIRE, you need to do four things: Create a Relying Party Trust that fetches the federation hub’s metadata from https://metadata.safire.ac.za/safire-hub-metadata.xml Configure claim rules to map AD LDAP attributes to SAFIRE’s attributes Configure a claim rule to generate eduPersonAffiliation from some internal role mapping Configure a claim rule to generate a transient NameID and then map this internal claim as a Name ID of type urn:oasis:names:tc:SAML:2.

Configuring Shibboleth Identity Provider for SAFIRE

These instructions are based on the Shibboleth documentation and have not been extensively tested. If you use Shibboleth IdPv3, please feel free to submit revisions if necessary. The Shibboleth Identity Provider has good documentation, and so this is not a complete/worked example of how to configure it. Instead this provides the SAFIRE-specific snippets you may need when working through that documentation. Configuring a metadata provider to fetch SAFIRE metadata The Shibboleth Identity Provider provides a FileBackedHTTPMetadataProvider that allows you to periodically fetch metadata.

Configuring Shibboleth Service Provider for SAFIRE

The Shibboleth Service Provider has good documentation, and so this is not a complete/worked example of how to configure it. Instead, this provides the SAFIRE-specific snippets you may need when working through that documentation. Configuring a metadata provider to fetch SAFIRE metadata Shibboleth Service Provider provides a dynamic metadata provider that allows you to periodically fetch metadata. You should use this to keep SAFIRE’s metadata up-to-date, checking for new metadata at least once a day (the example below checks every four hours).

Configuring SimpleSAMLphp for SAFIRE

SimpleSAMLphp has good documentation, and so this is not a complete/worked example of how to configure it. Instead this provides the SAFIRE-specific snippets you may need when working through that documentation. Configuring metarefresh to fetch SAFIRE metadata You should use the metarefresh and cron modules to manage SAFIRE’s metadata automatically. SimpleSAMLphp provides documentation on automated metadata management which explains the basics of how you set this up. This document assumes you have a working cron module and have enabled metarefresh.

South African Identity Federation