The eduPersonEntitlement attribute is used to indicate a user’s entitlement to access a specific service or resource. For example, its most widely used value, urn:mace:dir:entitlement:common-lib-terms, is used to indicate eligibility to access licensed content from information publishers.
Relationship to eduPersonScopedAffiliation Library information providers often support both eduPersonEntitlement and eduPersonScopedAffiliation as a means of limiting access to licensed resources.
…
In our ongoing work to integrate library journal and platform providers, it has become apparent that we need to support the eduPersonEntitlement attribute. Support for this attribute has therefore been added to the Federation hub, as well as the test identity and service providers.
To ease transition and to lower barriers to entry, the Federation hub may automatically generate a value for eduPersonEntitlement from eduPersonAffilation if none is supplied by the identity provider. Details of this are in the attribute definition. (You can avoid having eduPersonEntitlement auto-generated by supplying more accurate value(s).)
…
Testing an Identity Provider The most obvious way to test an Identity Provider is to make use of SAFIRE’s Test Service Provider (https://testsp.safire.ac.za/). This SP is always aware of SAFIRE’s full attribute set and emulates a locally connected SP. By logging in, Identity Provider administrators are able to test their integration with SAFIRE as well as their own attribute release. (Likewise, end users can use it to see what attributes their home institution releases about them.)
…
As a courtesy, we monitor the reachability of the various South African identity providers and make that information available at monitor.safire.ac.za.
The monitoring system initiates a single sign-on request, and reports the outcome as follow:
Green means that we completed all the tests and found something that looked like a login page.
Yellow means that we got as far as what we think should be a login page, but didn’t find a username field on it. The institution’s own monitoring or I.T. help desk may be able to provide more information.
Red means that we weren’t able to contact the identity provider for some reason. This could be because there’s a network problem or that the there’s some problem with the identity provider (service not running, certificates expired, metadata expired, etc).
The monitoring output shows the hosts we passed through on the way to what we believe is the login page. It may also give details of any problem(s) that were encountered.
…
This post documents SAFIRE’s experiments with, and ultimate deployment of, a smartcard-based HSM for SAML metadata signing in the hope that we can help other emerging federations along the way.
…
These instructions are based on the Shibboleth documentation and have not been extensively tested. If you use Shibboleth IdPv4, please feel free to submit revisions if necessary.
The Shibboleth Identity Provider has good documentation, and so this is not a complete/worked example of how to configure it. Instead this provides the SAFIRE-specific snippets you may need when working through that documentation.
Configuring a metadata provider to fetch SAFIRE metadata The Shibboleth Identity Provider provides a FileBackedHTTPMetadataProvider that allows you to periodically fetch metadata. You should use this to keep SAFIRE’s metadata up-to-date, checking for new metadata at least once a day (the example below checks every four hours).
…