eduGAIN Integration

Previous Next

This tutorial is part of the eduGAIN Series.

Back to eduGAIN

Category: Advanced

Difficulty: 4 out of 5

Duration: 30 minutes

1. Overview 2. Software Version 3. EduGAIN Metadata 4. Requesting Attributes - eduGAIN IdPs 5. Requesting Attributes - Federation Manager 6. Discovery Service Mechanism for SPs 7. Next Steps

Find a mistake? Let us know the issue here.

EduGAIN Metadata


Consuming eduGAIN Metadata

EduGAIN metadata contains all the authorised entities with which AAF service providers and identity providers can interact. The AAF provides a Metadata distribution service for eduGAIN. These include:

  • All eduGAIN Identity Providers
  • All eduGAIN Service Providers that identify as Research and Scholarly entity categories
  • Other eduGAIN Service Providers requested by AAF subscriber organisations and approved by the AAF.

To participate in eduGAIN, AAF Service Providers and Identity Providers must:

  • consume the eduGAIN metadata
  • agree to and abide by the AAF eduGAIN Participant Rules


Production Federation

Service Providers in the Production federation will use the AAF eduGAIN metadata. The AAF digitally signs the eduGAIN metadata. A service MUST use the public key to verify metadata documents whenever they are retrieved. To confirm that you have obtained the correct key, ensure the PEM file you have downloaded conforms to the following:

$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem
         subject= /O=Australian Access Federation/CN=AAF Metadata
         notBefore=Nov 24 04:27:20 2015 GMT
         notAfter=Dec  9 04:27:20 2035 GMT
         SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A


Configuring a Shibboleth Service Provider (SP)

For a service provider using the Shibboleth SP software, the following changes to the /etc/shibboleth/shibboleth2.xml file are necessary.

Add the following configuration element as a child element of the element:

<MetadataProvider type="XML" uri="https://md.aaf.edu.au/aaf-edugain-metadata.xml"
    backingFilePath="eduGAIN-metadata.aaf.xml" reloadInterval="7200">
           <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
           <MetadataFilter type="Signature" certificate="aaf-metadata-cert.pem"/>
        </MetadataProvider>

The AAF digitally signs the eduGAIN metadata with the same certificate as the AAF metadata. Restart the Shibboleth service provider to load the change.


Testing

To verify that the SP is consuming the eduGAIN metadata, check the Shibboleth logs for any errors and that the metadata file is downloading correctly to the “backingFilePath” /var/cache/eduGAIN-metadata.aaf.xml.

The Shibboleth log files should indicate any issues if the software does not load the eduGAIN metadata. It may be necessary to increase the log-level to DEBUG to log all relevant details.

If the SP does not successfully load the metadata and the logs fail to highlight the cause of the failure, contact AAF Support for assistance.

Non-Shibboleth Service Providers

For non-shibboleth SAML service providers, consult the relevant documentation for the software on how to consume federation metadata. AAF Support can provide some support for non-shibboleth software at this time.


Test Federation

Though eduGAIN does not provide a test federation, the AAF does provide a test eduGAIN metadata feed for services in the AAF Test Federation. This feed enables testing of an SP to verify configuration changes before applying them to a production service.

Up Next:

4. Requesting Attributes - eduGAIN IdPs