technical Archive

Configuring Shibboleth Service Provider for SAFIRE

The Shibboleth Service Provider has good documentation, and so this is not a complete/worked example of how to configure it. Instead, this provides the SAFIRE-specific snippets you may need when working through that documentation. Installing Shibboleth Service Provider Note that some package repositories ship out-of-date and vulnerable versions of the Shibboleth SP. However, the Swiss federation operator (SWITCHaai) maintains up-to-date packages for Debian and Ubuntu. Choose an entityID Perhaps the single most important thing you can do is choose an entityID, which you’ll find in the stanza in shibboleth2.

Generating eduPersonPrincipalName from your internal directory

This page is intended to give you some ideas about how to generate an eduPersonPrincipal attribute that is useful to SAFIRE by reusing existing unique user identifiers from your internal directory services. What’s shown below are SimpleSAMLphp config snippets, but the ideas translate to pretty much all identity provider software. If you’re not using SimpleSAMLphp, hopefully the comments help you understand what is going on. All the authproc filters shown here are documented in SimpleSAMLphp’s docs.

Generating certificates for SAFIRE

Types of certificates SAML installations typically use at least two1 different certificates: one of the public facing portions of a website, and one to establish a private trust relationship between providers. Whilst it is possible to use the same certificate for these two roles, this is not best practice nor is it recommended. The technical requirements for identity- and service-providers definitively specify the requirements and recommendations for these two types of certificates.

Theme generator for SimpleSAMLphp

This theme generator was developed for SimpleSAMLphp 1.18.x and is no longer maintained. This should still work with SimpleSAMLphp 1.19.x, but may need a few tweeks. This will not work for SimpleSAMLphp 2.0.x as the theming mechanism changes completely. A number of people seem to find SimpleSAMLphp’s theming system intimidating. To aid with this, we’ve written a simple theme generator for SimpleSAMLphp. The generator takes SSP’s stock templates and massages them to include some branding – amongst other things, a logo on the top right of the page and corporate colours in the header bar.

SAML 101 - An intro to SAML for sysadmin

This document intends to be a quick primer on SAML for those who want to get on with the rest of their todo list. SAML seems big and scary, because it has a lot of decisions and moving parts. But the reality is that many of these decisions have already been made for you, and you don’t need to know about the moving parts to make it work for you. Thus this primer attempts to distill out the most important bits in a way that’s easy to skim.

Generating eduPersonEntitlement

The eduPersonEntitlement attribute is used to indicate a user’s entitlement to access a specific service or resource. For example, its most widely used value, urn:mace:dir:entitlement:common-lib-terms, is used to indicate eligibility to access licensed content from information publishers. Relationship to eduPersonScopedAffiliation Library information providers often support both eduPersonEntitlement and eduPersonScopedAffiliation as a means of limiting access to licensed resources. It is likely that there is significant overlap between values used for eduPersonAffiliation (and thus eduPersonScopedAffiliation).

Support for eduPersonEntitlement added

In our ongoing work to integrate library journal and platform providers, it has become apparent that we need to support the eduPersonEntitlement attribute. Support for this attribute has therefore been added to the Federation hub, as well as the test identity and service providers. To ease transition and to lower barriers to entry, the Federation hub may automatically generate a value for eduPersonEntitlement from eduPersonAffilation if none is supplied by the identity provider.

South African Identity Federation