SP registration: Difference between revisions
(Expand on Anonymous) |
(Two out of three sections...) |
||
Line 1: | Line 1: | ||
Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows | Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that reduce the need for each SP to register individually with each IdP with which it wants to interwork. | ||
Operators of SPs in the University currently have the following choices. | |||
==Remain Anonymous== | ==Remain Anonymous== | ||
The Raven IdP is unusual in that it will provide authentication | The Raven IdP is unusual in that it will provide authentication and some attribute values to any SP even if it knows nothing about it. As a result it is possible to completely avoid registration. The downside to this is that Raven will describe such a service as an 'Unknown Service Provider' when asking people for permission to release information to it, and only a limited number of attributes will be released (see [[Attributes released by the Raven IdP#Completely unregistered ('Anonymous')|Attributes released by the Raven IdP - Completely unregistered]]. In addition, attempts to use the Browser/Artifact profile will fail (with the SP reporting an 'opensaml::BindingException' with the reason 'Invalid HTTP method (POST)') (for reasons that are explained [https://spaces.internet2.edu/display/SHIB/PostToArtifactHandler here]). | ||
However one of the attributes that is released carries the authenticated user's 'eduPerson Principal Name' which includes their CRSid. This may be sufficient for replacing UcamWebauth-based functionality. | However one of the attributes that is released carries the authenticated user's 'eduPerson Principal Name' which includes their CRSid. This may be sufficient for replacing UcamWebauth-based functionality. | ||
Line 13: | Line 13: | ||
==Register in the 'Ucam federation'== | ==Register in the 'Ucam federation'== | ||
University SPs | The 'Ucam federation' consists of the Raven IdP and a set of local SPs that Raven has been explicitly configured to recognise. University SPs in the Ucam federation (or in the UK federation [[#UK federation|see below]]) receive a much larger list of attributes - see [[Attributes released by the Raven IdP#Registered SPs|Attributes released by the Raven IdP - Registered SPs]] and [[Attributes released by the Raven IdP#University SPs|Attributes released by the Raven IdP University SPs]]. Such SPs can also use the Browser/Artifact profile. | ||
To register an SP in the Ucam federation, the person taking responsibility for operating the coresponding web server should send an email to raven-support@ucs.cam.ac.uk containing the following: | |||
* A clear statement that registration in the Ucam federation is being requested | |||
* A name and email address of one or more people or roles responsible for the server. They can be identified as being 'technical', 'support', 'administrative', 'billing', or 'other'. This will default to the name and email address of the person sending the email. | |||
* A short name (a few words at most) to identify your site. | |||
* The URL of a web page providing a description of the organisation providing the service. | |||
* A copy of the automatically generated metadata for your SP. | |||
The default configuration files specify a an automatic metadata generator which will generate metadata matching your your configuration. You can access it it at | |||
http://''<host-name>''/Shibboleth.sso/Metadata | |||
or | |||
https://''<host-name>''/Shibboleth.sso/Metadata | |||
Please attach this metadata file to your email registration request: do not embed its contents within the email message. | |||
==Register in the 'UK federation'== | ==Register in the 'UK federation'== |
Revision as of 17:26, 11 March 2009
Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that reduce the need for each SP to register individually with each IdP with which it wants to interwork.
Operators of SPs in the University currently have the following choices.
Remain Anonymous
The Raven IdP is unusual in that it will provide authentication and some attribute values to any SP even if it knows nothing about it. As a result it is possible to completely avoid registration. The downside to this is that Raven will describe such a service as an 'Unknown Service Provider' when asking people for permission to release information to it, and only a limited number of attributes will be released (see Attributes released by the Raven IdP - Completely unregistered. In addition, attempts to use the Browser/Artifact profile will fail (with the SP reporting an 'opensaml::BindingException' with the reason 'Invalid HTTP method (POST)') (for reasons that are explained here).
However one of the attributes that is released carries the authenticated user's 'eduPerson Principal Name' which includes their CRSid. This may be sufficient for replacing UcamWebauth-based functionality.
An anonymous SP is unlikely to be able to authenticate users against any IdPs other than the one provided by Raven.
Register in the 'Ucam federation'
The 'Ucam federation' consists of the Raven IdP and a set of local SPs that Raven has been explicitly configured to recognise. University SPs in the Ucam federation (or in the UK federation see below) receive a much larger list of attributes - see Attributes released by the Raven IdP - Registered SPs and Attributes released by the Raven IdP University SPs. Such SPs can also use the Browser/Artifact profile.
To register an SP in the Ucam federation, the person taking responsibility for operating the coresponding web server should send an email to raven-support@ucs.cam.ac.uk containing the following:
- A clear statement that registration in the Ucam federation is being requested
- A name and email address of one or more people or roles responsible for the server. They can be identified as being 'technical', 'support', 'administrative', 'billing', or 'other'. This will default to the name and email address of the person sending the email.
- A short name (a few words at most) to identify your site.
- The URL of a web page providing a description of the organisation providing the service.
- A copy of the automatically generated metadata for your SP.
The default configuration files specify a an automatic metadata generator which will generate metadata matching your your configuration. You can access it it at
http://<host-name>/Shibboleth.sso/Metadata
or
https://<host-name>/Shibboleth.sso/Metadata
Please attach this metadata file to your email registration request: do not embed its contents within the email message.