'Ucam Federation' IdP metadata: Difference between revisions

From RavenWiki
Jump to navigationJump to search
mNo edit summary
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{New Docs}}
If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata).
If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata).


In due course you'll be able to automatically access a signed metadata file describing the Raven IdP, but in the meantime here's a copy. Store it in a file called ucamfederation-idp-metadata.xml inside the same directory as the main shibboleth2.xml configuration file. Be careful not to corrupt or reformat this file when extracting it from this page - wikis are not the best vehicle for software distribution.
This Raven metadata can be collected from
 
<pre><nowiki>
<!--
Ucam federation IdP metadata
-->
<EntitiesDescriptor
  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata  sstc-saml-schema-metadata-2.0.xsd  urn:mace:shibboleth:metadata:1.0  shibboleth-metadata-1.0.xsd  http://www.w3.org/2001/04/xmlenc#  xenc-schema.xsd  http://www.w3.org/2000/09/xmldsig#  xmldsig-core-schema.xsd"
  Name="https://shib.raven.cam.ac.uk/ucamfederation/" >
 
    <Extensions>
        <shibmeta:KeyAuthority
          xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
          VerifyDepth="3">
 
        <!--
        The KeyAuthority element's VerifyDepth attribute must be at least as
        large as the verification depth required by each root certificate
        below.
        -->
           
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 
            <!--
            GTE CyberTrust Global Root
            * CN=GTE CyberTrust Global Root,
              OU=GTE CyberTrust Solutions, Inc.,
              O=GTE Corporation, C=US
 
            This is used to sign:
 
            * CN=Cybertrust Educational CA, OU=Educational CA,
              O=Cybertrust, C=BE
 
            This in turn is used to sign SureServer EDU end certificates.
            One intermediate CA below the root, so requires a verification
            depth of at least 2.
 
            Validity
              Not Before: Aug 13 00:29:00 1998 GMT
              Not After : Aug 13 23:59:00 2018 GMT
            -->
                <ds:X509Data>
                    <ds:X509Certificate>MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </shibmeta:KeyAuthority>
    </Extensions>
    <EntityDescriptor entityID="https://shib.raven.cam.ac.uk/shibboleth">
 
        <Extensions>
            <shibmeta:Scope
              xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
              regexp="false">cam.ac.uk</shibmeta:Scope>
            <shibmeta:Scope
              xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
              regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
        </Extensions>
 
        <IDPSSODescriptor
          protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
            <Extensions>
                <shibmeta:Scope
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                  regexp="false">cam.ac.uk</shibmeta:Scope>
                <shibmeta:Scope
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                  regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
            </Extensions>
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
                </ds:KeyInfo>
            </KeyDescriptor>
            <ArtifactResolutionService
              Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
              Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/Artifact"
              index="1"></ArtifactResolutionService>
            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
            <SingleSignOnService
              Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
              Location="https://shib.raven.cam.ac.uk/shibboleth-idp/SSO"></SingleSignOnService>
        </IDPSSODescriptor>
 
        <AttributeAuthorityDescriptor
          protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
            <Extensions>
                <shibmeta:Scope
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                  regexp="false">cam.ac.uk</shibmeta:Scope>
                <shibmeta:Scope
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                  regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
            </Extensions>
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
                </ds:KeyInfo>
            </KeyDescriptor>
            <AttributeService
              Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
              Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/AA"></AttributeService>
            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        </AttributeAuthorityDescriptor>
 
        <Organization>
            <OrganizationName
              xml:lang="en">University of Cambridge</OrganizationName>
            <OrganizationDisplayName
              xml:lang="en">University of Cambridge (pilot)</OrganizationDisplayName>
            <OrganizationURL
              xml:lang="en">http://www.cam.ac.uk/</OrganizationURL>
        </Organization>
 
        <ContactPerson contactType="support">
            <GivenName>Raven Support</GivenName>
            <EmailAddress>mailto:raven-support@ucs.cam.ac.uk</EmailAddress>
        </ContactPerson>
 
        <ContactPerson contactType="technical">
            <GivenName>Jon</GivenName>
            <SurName>Warbrick</SurName>
            <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
        </ContactPerson>
 
        <ContactPerson contactType="administrative">
            <GivenName>Jon</GivenName>
            <SurName>Warbrick</SurName>
            <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
        </ContactPerson>


    </EntityDescriptor>
https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml


</EntitiesDescriptor>
The [[Shibboleth2.xml - internal use skeleton|internal use example shibboleth.xml file]] configures <tt>shibd</tt> to automatically load this data over the network and to cache it locally.


</nowiki></pre>
In due course this file might be signed.

Latest revision as of 11:42, 3 March 2020

We're working on improving Raven resources for developers and site operators.

Try out the new Raven documentation for size.

If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata).

This Raven metadata can be collected from

https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml

The internal use example shibboleth.xml file configures shibd to automatically load this data over the network and to cache it locally.

In due course this file might be signed.