technical Archive

Configuring SimpleSAMLphp for SAFIRE

SimpleSAMLphp has good documentation, and so this is not a complete/worked example of how to configure it. Instead this provides the SAFIRE-specific snippets you may need when working through that documentation. Configuring metarefresh to fetch SAFIRE metadata You should use the metarefresh and cron modules to manage SAFIRE’s metadata automatically. SimpleSAMLphp provides documentation on automated metadata management which explains the basics of how you set this up. This document assumes you have a working cron module and have installed and enabled metarefresh.

Performing a SAML certificate or key roll-over

This is a recipe for rolling over (changing) your SAML signing certificate and the associated private key without a service affecting outage. NB! You should be aware that this process is NOT instantaneous, and requires proper planning to ensure your users can continue using your provider without incident. Therefore, you need to begin the process well before the expiry of your existing SAML signing certificate (plan for at least a week).

Configuring ADFS for SAFIRE

Note: While it is possible to use ADFS with SAFIRE, it has known interoperatability problems with the sort of multi-party federation used in the R&E world. SAFIRE’s architecture shields you from some of these effects, but you do sacrifice some flexibility and control. In order to configure Active Directory Federation Services (ADFS) as an identity provider for SAFIRE, you need to do four things: Create a Relying Party Trust that fetches the federation hub’s metadata from https://metadata.

Support for REFEDS MFA

On the evening of Tuesday 11 January, we will deploy a number of changes to the SAFIRE Federation hub to allow for the bi-directional signalling of REFEDS MFA. No downtime is expected, and we do not anticipate any impact on any service- or identity-provider that does not currently support such signalling.

Configuring Azure AD SAML-based SSO for SAFIRE

The recommended way to integrate Azure AD into SAFIRE is via a SAML Proxy such as Shibboleth. While it is possible to connect Azure AD directly into SAFIRE, this has several caveats and cannot be guaranteed as a long-term solution. This documentation assumes that you already have an Azure Active Directory (Azure AD) tenant correctly configured and provisioned with your institution’s user accounts. To configure Azure AD as an identity provider for SAFIRE, you need to configure SAML-based SSO.

Generating eduPerson{Scoped}Affiliation from your internal directory

This page is intended to give you some ideas about how to generate eduPersonAffiliation and eduPersonScopedAffiliationi attribute that are useful to SAFIRE by reusing existing information you may already have in your internal directory services. What’s shown below are SimpleSAMLphp config snippets, but the ideas translate to pretty much all identity provider software. If you’re not using SimpleSAMLphp, hopefully the comments help you understand what is going on. All the authproc filters shown here are documented in SimpleSAMLphp’s docs.

Configuring Google Workspace (G Suite) as an IdP for SAFIRE

As a result of the baseline changes that occured in march 2021, it is no longer possible to directly integrate Google Workspace (G Suite) with SAFIRE without making schema changes. In particular, you would need to add support for the displayName and eduPersonScopedAffiliation attributes. As no current providers use Google Workspace, his document has not been updated to incorporate information on how to do that, nor has it been tested. It remains theoretically possible to integrate Google Workspace.

Integrating library information providers via SAFIRE

There is considerable interest in leveraging SAFIRE and eduGAIN to integrate with the various library information providers, such as academic content, journal, and database publishers. Information providers variously term this “Shibboleth”, “SAML” or “Institutional” logins, and in most cases are already integrated with other federations around the world. The following documents the integration status of various providers in SAFIRE. Association for Computing Machinery (ACM) Status No SA institutions listed by default Login link terminology Sign in via your Institution Documentation http://libraries.

South African Identity Federation