Microsoft recommends integrating Entra ID into SAFIRE via a SAML Proxy such as Shibboleth, which mirror’s the R&E federation communty’s guidence. While it is possible to connect Microsoft Entra ID directly into SAFIRE, this has several caveats and cannot be guaranteed as a long-term solution. This documentation assumes that you already have an Microsoft Entra ID tenant correctly configured and provisioned with your institution’s user accounts. To configure Microsoft Entra ID as an identity provider for SAFIRE, you need to configure SAML-based SSO. Doing so requires you do three things: …

Types of certificates SAML installations typically use at least two1 different certificates: one of the public facing portions of a website, and one to establish a private trust relationship between providers. Whilst it is possible to use the same certificate for these two roles, this is not best practice nor is it recommended. …

This documentation will guide you through the Microsoft Entra ID (Azure AD) configuration process as an authentication source in SimpleSAMLphp. By integrating Entra ID in this way, you can retain your users’ familiar login experience while leveraging SimpleSAMLphp’s flexibility to fetch and/or manipulate attributes from Entra ID and other sources. While SAFIRE can directly work with Entra ID or SimpleSAMLphp (as explained in our Configuring Entra ID SAML-based SSO for SAFIRE and Configuring SimpleSAMLphp for SAFIRE documentation), you may find yourself in a situation where this approach better fits your use case. …

There is considerable interest in leveraging SAFIRE and eduGAIN to integrate with the various library information providers, such as academic content, journal, and database publishers. Information providers variously term this “Shibboleth”, “SAML” or “Institutional” logins, and in most cases are already integrated with other federations around the world. The following documents the integration status of various providers in SAFIRE. Association for Computing Machinery (ACM) Status No SA institutions listed by default Login link terminology Sign in via your Institution Documentation http://libraries.acm.org/subscriptions-access/authentication Authorization attribute(s) eduPersonEntitlement American Chemical Society Status Tested, Working Login link terminology Find my institution Status since January 2021 This provider appears to have adopted SeamlessAccess for login, which is a new standard that greatly improves the user experience. …

On Friday 30 June we’ll be performing a major version upgrade of the software that’s at the core of SAFIRE’s federation hub. Although no downtime is expected, you can expect the following: All users will need to re-authenticate the first time they access a service after the upgrade; There will be cosmetic changes to the user interface, particularly in the information transfer notice. …

This theme generator has been updated for SimpleSAMLphp 2.0.x A number of people seem to find SimpleSAMLphp’s theming system intimidating. To aid with this, we’ve written a simple theme generator for SimpleSAMLphp. The generator takes SSP’s stock templates and massages them to include some branding – amongst other things, a logo on the top left of the page and corporate colours in the header bar. The generator is a bash script, and is available here. It takes a number of command line options which can be used to manipulate the resulting theme: …

TENET’s trust & identity team run regular information sharing sessions covering SAFIRE and other services. A full schedule of forthcoming events is available at events.tenet.ac.za. …

SimpleSAMLphp has good documentation, and so this is not a complete/worked example of how to configure it. Instead this provides the SAFIRE-specific snippets you may need when working through that documentation. Configuring metarefresh to fetch SAFIRE metadata You should use the metarefresh and cron modules to manage SAFIRE’s metadata automatically. SimpleSAMLphp provides documentation on automated metadata management which explains the basics of how you set this up. This document assumes you have a working cron module and have installed and enabled metarefresh. …

This is a recipe for rolling over (changing) your SAML signing certificate and the associated private key without a service affecting outage. NB! You should be aware that this process is NOT instantaneous, and requires proper planning to ensure your users can continue using your provider without incident. Therefore, you need to begin the process well before the expiry of your existing SAML signing certificate (plan for at least a week). If you let your certificate expire, your users may not be able to log in, and it will take some time to recover from this. …

Note: While it is possible to use ADFS with SAFIRE, it has known interoperatability problems with the sort of multi-party federation used in the R&E world. SAFIRE’s architecture shields you from some of these effects, but you do sacrifice some flexibility and control. In order to configure Active Directory Federation Services (ADFS) as an identity provider for SAFIRE, you need to do four things: Create a Relying Party Trust that fetches the federation hub’s metadata from https://metadata.safire.ac.za/safire-hub-metadata.xml Configure claim rules to map AD LDAP attributes to SAFIRE’s attributes Configure a claim rule to generate eduPersonAffiliation from some internal role mapping Configure a claim rule to generate a transient NameID and then map this internal claim as a Name ID of type urn:oasis:names:tc:SAML:2.0:nameid-format:transient Scripted configuration Ensure you make adequate backups before executing any script from this site …