SP registration: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(→‎Remain Anonymous: Link to how to register)
(Updated - ananymous interworkign no longer possible)
Line 1: Line 1:
Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that save each SP from having to register individually with each IdP with which it wants to interwork.
Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that save each SP from having to register individually with each IdP with which it wants to interwork.
Prior to 2012, Raven provided limited support for unregistered entities - this is no longer the case.


Operators of SPs in the University currently have the following choices as far as registration is concerned.
Operators of SPs in the University currently have the following choices as far as registration is concerned.
==Remain Anonymous==
The option of remaining anonymous is about to be withdrawn following the [[Shibboleth Identity Provider 2012 Upgrade]]. Anyone deploying a new SP in the University is encouraged to at least [[SP registration#Register in the 'Ucam federation' | register in the 'Ucam federation']].
<s>The Raven IdP is unusual in that it will provide authentication and some attribute values to any SP even if it knows nothing about it. It is therefore possible to completely avoid registering an SP if it will only interact with Raven.
The downside to this is that Raven will describe such a service as an 'Unknown Service Provider' when asking people for permission to release information to it, and only a limited number of attributes will be released (see [[Attributes released by the Raven IdP#Completely unregistered ('Anonymous')|Attributes released by the Raven IdP - Completely unregistered]]). In addition, attempts to use the Browser/Artifact profile will fail (with the SP reporting an 'opensaml::BindingException' with the reason 'Invalid HTTP method (POST)' for reasons that are explained [https://spaces.internet2.edu/display/SHIB/PostToArtifactHandler here]).
However one of the attributes that is released carries the authenticated user's 'eduPerson Principal Name' which includes their CRSid. This may be sufficient for replicating UcamWebauth-based functionality.
An anonymous SP is unlikely to be able to authenticate users against any IdPs other than the one provided by Raven.</s>


==Register in the 'Ucam federation'==
==Register in the 'Ucam federation'==


The 'Ucam federation' consists of the Raven IdP and a set of local SPs that Raven has been explicitly configured to recognise. University SPs in the Ucam federation (or in the UK federation [[#UK federation|see below]]) receive a much larger list of attributes - see [[Attributes released by the Raven IdP#Registered SPs|Attributes released by the Raven IdP - Registered SPs]] and [[Attributes released by the Raven IdP#University SPs|Attributes released by the Raven IdP University SPs]]. Such SPs can also use the Browser/Artifact profile, but are still unlikely to be able to authenticate users against any IdPs other than the one provided by Raven.
The 'Ucam federation' consists of the Raven IdP and a set of local SPs that Raven has been explicitly configured to recognise. Such sites are unlikely to be able to authenticate users against any IdPs other than the one provided by Raven.


To register an SP in the Ucam federation, the person taking responsibility for operating the web site should send an email to [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk] containing the following:
To register an SP in the Ucam federation, the person taking responsibility for operating the web site should send an email to [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk] containing the following:
Line 35: Line 25:
Membership of the UK federation is subject to the [http://www.ukfederation.org.uk/library/uploads/Documents/rules-of-membership.pdf Rules of membership for the federation] which the University has accepted. Operators of SPs within the University must agree that their SPs will be operated within the rules before their SP can be registered in it.
Membership of the UK federation is subject to the [http://www.ukfederation.org.uk/library/uploads/Documents/rules-of-membership.pdf Rules of membership for the federation] which the University has accepted. Operators of SPs within the University must agree that their SPs will be operated within the rules before their SP can be registered in it.


The UK federation has more restrictive requirements than the Ucam federation. In particular it requires that the SP supports https:, at least for access to the various URL's used internally by Shibboleth, and that the SSL certificate used to protect both 'browser' access to the SP and the certificate used for direct communication between the SP and the IdP be issued by one of a number of approved global CAs. Self-signed certificates are not acceptable. See [[SSL, certificates and security with Shibboleth]] for more information. [Note that (as of November 2009) this is no-longer entirely accurate - contact [mailto:raven-support@ucs.cam.ac.uk raven-support] if you need more details]
The UK federation has more restrictive requirements than the Ucam federation. In particular it requires that the SP supports https:, at least for access to the various URL's used internally by Shibboleth. See [[SSL, certificates and security with Shibboleth]] for more information.


Instructions on configuring an SP to work within the federation are available at  
Instructions on configuring an SP to work within the federation are available at  
Line 52: Line 42:
See [[SP Metadata]] for information on generating metadata.  
See [[SP Metadata]] for information on generating metadata.  


Raven Support will contact the sender of the request and any additional addresses specified once the application has been accepted by the UK federation and the corresponding metadata published and loaded into Raven.
Raven Support will contact the sender of the request and any additional addresses specified once the application has been accepted by the UK federation and the corresponding metadata published.


There is no value in registering an SP in both the Ucam and UK federations - a request to be registered in the UK federation will be taken as a request to also remove any Ucam federation registration.
There is no value in registering an SP in both the Ucam and UK federations - a request to be registered in the UK federation will be taken as a request to also remove any Ucam federation registration.
Line 58: Line 48:
==Register in some other federation==
==Register in some other federation==


Other federations exist, in particular [http://www.incommonfederation.org/ InCommon] that provides similar facilities in the USA to those provided by the UK federation here. The University is not at present a member of any other federations and this may (depending on the relevant federation rules) prevent University SPs from being registered in them.  
Other federations exist, in particular [http://www.incommonfederation.org/ InCommon] that provides similar facilities in the USA to those provided by the UK federation here. The University is not at present a member of any other federations and this may (depending on the relevant federation rules) prevent University SPs from being registered in them.  


If a University SP needs to register in any such federations and action is needed centrally by the University to make this happen then the person responsible for the site should contact [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk] in the first instance. The process of joining a federation can be protracted involving as it does legally-binding contracts that have to be considered in detail, so as much notice as possible needs to be given. SP operators must accept that in some cases it may be impossible for the University to join some federations and that it may therefore be impossible to register their SP in them - SP operators are urged not to commit themselves to membership before they confirm if it is actually possible.
If a University SP needs to register in any such federations and action is needed centrally by the University to make this happen then the person responsible for the site should contact [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk] in the first instance. The process of joining a federation can be protracted involving as it does legally-binding contracts that have to be considered in detail, so as much notice as possible needs to be given. SP operators must accept that in some cases it may be impossible for the University to join some federations and that it may therefore be impossible to register their SP in them - SP operators are urged not to commit themselves to membership before they confirm if it is actually possible.
==Inter-working with arbitrary IdPs==
It is entirely possible for an SP to arrange to inter-work with one or more IdPs that are not part of any recognised federation, either instead of registering with recognised federations or alongside doing so. This is will involve coming to agreements with each IdP on Data Protection and other administrative issues, and then collecting and loading metadata describing each IdP into your SP. Instructions for doing this are beyond the scope of this document, but [mailto:raven-support@ucs.cama.c.uk Raven Support] may be able to advise.

Revision as of 16:57, 20 June 2012

Shibboleth SPs normally need to have pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that save each SP from having to register individually with each IdP with which it wants to interwork.

Prior to 2012, Raven provided limited support for unregistered entities - this is no longer the case.

Operators of SPs in the University currently have the following choices as far as registration is concerned.

Register in the 'Ucam federation'

The 'Ucam federation' consists of the Raven IdP and a set of local SPs that Raven has been explicitly configured to recognise. Such sites are unlikely to be able to authenticate users against any IdPs other than the one provided by Raven.

To register an SP in the Ucam federation, the person taking responsibility for operating the web site should send an email to raven-support@ucs.cam.ac.uk containing the following:

  • A clear statement that registration in the Ucam federation is being requested.
  • A name and email address of one or more people or roles responsible for the server. They can be identified as being 'technical', 'support', 'administrative', 'billing', or 'other'. This will default to 'technical' and the name and email address of the person sending the email.
  • A short name (a few words at most) to identify the site.
  • The URL of a web page providing a description of the organisation providing the service.
  • A copy of the automatically generated metadata for your SP (see SP Metadata for information on generating metadata).

Raven Support will contact the sender of the request and any additional addresses specified once the application has been accepted and the corresponding metadata loaded into Raven.

Register in the 'UK federation'

The UK federation provides federation services to the UK education sector. Members include universities, colleges and schools in the UK, and their suppliers. The University of Cambridge is a member of the UK federation and contact with it is managed by Management Liaison contacts forming part of Raven Support. The University can register SPs in the federation and such SPs can interwork with IdPs in peer organisations, opening up the possibility of authenticating people elsewhere in UK education to web sites in Cambridge.

Membership of the UK federation is subject to the Rules of membership for the federation which the University has accepted. Operators of SPs within the University must agree that their SPs will be operated within the rules before their SP can be registered in it.

The UK federation has more restrictive requirements than the Ucam federation. In particular it requires that the SP supports https:, at least for access to the various URL's used internally by Shibboleth. See SSL, certificates and security with Shibboleth for more information.

Instructions on configuring an SP to work within the federation are available at

 http://www.ukfederation.org.uk/content/Documents/Setup2SP

Once configured with the correct certificate installed, the person taking responsibility for operating the web site should send an email to raven-support@ucs.cam.ac.uk (not direct to the federation) containing the following:

  • A clear statement that registration in the UK federation is being requested
  • An undertaking to abide by the Federation Rules

and all the information listed towards the bottom of

 http://www.ukfederation.org.uk/content/Documents/Register2SP

See SP Metadata for information on generating metadata.

Raven Support will contact the sender of the request and any additional addresses specified once the application has been accepted by the UK federation and the corresponding metadata published.

There is no value in registering an SP in both the Ucam and UK federations - a request to be registered in the UK federation will be taken as a request to also remove any Ucam federation registration.

Register in some other federation

Other federations exist, in particular InCommon that provides similar facilities in the USA to those provided by the UK federation here. The University is not at present a member of any other federations and this may (depending on the relevant federation rules) prevent University SPs from being registered in them.

If a University SP needs to register in any such federations and action is needed centrally by the University to make this happen then the person responsible for the site should contact raven-support@ucs.cam.ac.uk in the first instance. The process of joining a federation can be protracted involving as it does legally-binding contracts that have to be considered in detail, so as much notice as possible needs to be given. SP operators must accept that in some cases it may be impossible for the University to join some federations and that it may therefore be impossible to register their SP in them - SP operators are urged not to commit themselves to membership before they confirm if it is actually possible.

Inter-working with arbitrary IdPs

It is entirely possible for an SP to arrange to inter-work with one or more IdPs that are not part of any recognised federation, either instead of registering with recognised federations or alongside doing so. This is will involve coming to agreements with each IdP on Data Protection and other administrative issues, and then collecting and loading metadata describing each IdP into your SP. Instructions for doing this are beyond the scope of this document, but Raven Support may be able to advise.