SP registration: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(→‎Register in the 'UK federation': Link to UK federation metadata file)
m (Remove old information. Tidy layout.)
Line 1: Line 1:
Shibboleth SPs almost always need pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate. This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that avoid each SP having to register individually with each IdP with which it wants to interwork.
'''Shibboleth Service Providers (SPs) almost always need pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate.'''


Prior to 2012, Raven provided limited support for unregistered entities - this is no longer the case.
This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that avoid each SP having to register individually with each IdP with which it wants to interwork.


Operators of SPs in the University currently have the following choices as far as registration is concerned.
Operators of SPs in the University currently have the following choices as far as registration is concerned.


==Register in the 'Ucam federation'==
==Register in the 'Ucam federation'==
''[This describes the revised Ucam federation registration procedure introduced in September 2014. Prior to this, registrations were managed by sending email to Raven Support. All previously registrations were imported into the new system when it was implemented, and in almost all cases at least one initial 'authorised user' was identified for each registration - typically the person who first made it]''


The members of the 'Ucam federation' are the Raven IdP and those local SPs that Raven has been configured to recognise. Such SPs won't automatically be able to authenticate users against any IdPs other than the one provided by Raven.
The members of the 'Ucam federation' are the Raven IdP and those local SPs that Raven has been configured to recognise. Such SPs won't automatically be able to authenticate users against any IdPs other than the one provided by Raven.
Line 15: Line 15:
   https://metadata.raven.cam.ac.uk/
   https://metadata.raven.cam.ac.uk/


To register an SP you'll need to supply
'''To register an SP you'll need to supply'''


* A short name for it
* A short name for it
Line 23: Line 23:
* A copy of the SAML metadata for the SP - see [[SP Metadata]] for information on generating metadata and why you need to be careful about using http: vs.  https:
* A copy of the SAML metadata for the SP - see [[SP Metadata]] for information on generating metadata and why you need to be careful about using http: vs.  https:


The Shibboleth Metadata administration site expects to receive metadata generated the Shibboleth Consortium SP software. It should be possible to upload any syntactically-valid metadata, but in some cases this may need to be edited before submission. Unfortunately the site currently responds badly ('Internal server error') to some things it doesn't like, rather than producing a helpful error message. Changes you may need to make:
 
* Remove any XML declaration at the start of the metadata (e.g. remove <?xml version="1.0" encoding="UTF-8"?>)
'''NOTES'''
* If the metadata consists of an <EntitiesDescriptor> element wrapping an <EntityDescriptor> then remove the <EntitiesDescriptor> element by deleting its opening and closing tags, but transfer any XML namespace declarations (attributes starting 'xmlns:') from the <EntitiesDescriptor> element to the <EntityDescriptor> element.
::The Shibboleth Metadata administration site expects to receive metadata generated by the Shibboleth Consortium SP software. It should be possible to upload any syntactically-valid metadata, but in some cases this may need to be edited before submission. Unfortunately the site currently responds badly ('Internal server error') to some things it doesn't like, rather than producing a helpful error message. Changes you may need to make:
* Remove any ID= attribute from the <EntityDescriptor> (only necessary if metadata has already been uploaded with the same ID
 
::* Remove any XML declaration at the start of the metadata (e.g. remove <?xml version="1.0" encoding="UTF-8"?>)
::* If the metadata consists of an <EntitiesDescriptor> element wrapping an <EntityDescriptor> then remove the <EntitiesDescriptor> element by deleting its opening and closing tags, but transfer any XML namespace declarations (attributes starting 'xmlns:') from the <EntitiesDescriptor> element to the <EntityDescriptor> element.
::* Remove any ID= attribute from the <EntityDescriptor> (only necessary if metadata has already been uploaded with the same ID)
 


SPs are automatically classified as 'internal' or 'external', based on the hostnames used in the various service endpoint URLs in the metadata. Internal sites (those that exclusively use hostnames ending .cam.ac.uk) automatically get access to [[Attributes released by the Raven IdP#University SPs | the extended attribute information available to SP operated by the University]]. External sites (all the rest) don't automatically get access to this extra information. This automatic classification can be administratively overridden in appropriate cases on application to Raven Support.
SPs are automatically classified as 'internal' or 'external', based on the hostnames used in the various service endpoint URLs in the metadata. Internal sites (those that exclusively use hostnames ending .cam.ac.uk) automatically get access to [[Attributes released by the Raven IdP#University SPs | the extended attribute information available to SP operated by the University]]. External sites (all the rest) don't automatically get access to this extra information. This automatic classification can be administratively overridden in appropriate cases on application to Raven Support.


The way access to registrations is controlled is simple. The person who initially registers an SP automatically becomes an 'authorised user' with permission to subsequently modify or delete this registration. Users will see a list of the registrations that they are responsible for on the front page of the administration site.  
How we control access to these SP registrations is simple. The person who initially registers an SP automatically becomes an 'authorised user' with permission to subsequently modify or delete this registration. Users will see a list of the registrations that they are responsible for on the front page of the administration site.  


Authorised users can add and remove further authorised users - every registration should have several current authorised users to guard against administrators leaving the University, being temporally unavailable, etc. The one limitation is that an authorised user can't remove themselves - they have to get another authorised users to do this for them. This helps to guard against changes that can't easily be undone.
Authorised users can add and remove further authorised users - every registration should have several current authorised users to guard against administrators leaving the University, being temporally unavailable, etc. The one limitation is that an authorised user can't remove themselves - they have to get another authorised users to do this for them. This helps to guard against changes that can't easily be undone.


Changes made on the administration site should be reflected on the the Raven IdP in under a minute.
Changes made on the administration site should be reflected on the the Raven IdP in around a minute.
 
'''SPs with no current authorised users and no working contact addresses may be de-registered without notice.'''
 
The aggregated UCam Federation metadata file is available at http://shib.raven.cam.ac.uk/ucamfederation-sp-metadata.xml.


SPs with no current authorised users and no working contact addresses may be de-registered without notice.


The aggregates UCam Federation metadata file is available at http://shib.raven.cam.ac.uk/ucamfederation-sp-metadata.xml.


==Register in the 'UK federation'==
==Register in the 'UK federation'==

Revision as of 13:25, 1 November 2018

Shibboleth Service Providers (SPs) almost always need pre-arranged relationships with the Identity Providers (IdPs) against which they want to authenticate.

This allows the IdPs to decide what information they want to release to which SPs. This is normally managed by joining one or more 'federations' and registering SPs with them. Federations are administrative organisations that avoid each SP having to register individually with each IdP with which it wants to interwork.

Operators of SPs in the University currently have the following choices as far as registration is concerned.


Register in the 'Ucam federation'

The members of the 'Ucam federation' are the Raven IdP and those local SPs that Raven has been configured to recognise. Such SPs won't automatically be able to authenticate users against any IdPs other than the one provided by Raven.

Anyone with a current Raven account can register and subsequently manage an SP in the Ucam Federation without further formality. Registrations are managed by the Shibboleth Metadata administration site at

 https://metadata.raven.cam.ac.uk/

To register an SP you'll need to supply

  • A short name for it
  • Optionally a longer description
  • The University institution (department, college, etc) responsible for the SP
  • At least one email contact address of a person or role responsible for the SP - role addresses are greatly preferred
  • A copy of the SAML metadata for the SP - see SP Metadata for information on generating metadata and why you need to be careful about using http: vs. https:


NOTES

The Shibboleth Metadata administration site expects to receive metadata generated by the Shibboleth Consortium SP software. It should be possible to upload any syntactically-valid metadata, but in some cases this may need to be edited before submission. Unfortunately the site currently responds badly ('Internal server error') to some things it doesn't like, rather than producing a helpful error message. Changes you may need to make:
  • Remove any XML declaration at the start of the metadata (e.g. remove <?xml version="1.0" encoding="UTF-8"?>)
  • If the metadata consists of an <EntitiesDescriptor> element wrapping an <EntityDescriptor> then remove the <EntitiesDescriptor> element by deleting its opening and closing tags, but transfer any XML namespace declarations (attributes starting 'xmlns:') from the <EntitiesDescriptor> element to the <EntityDescriptor> element.
  • Remove any ID= attribute from the <EntityDescriptor> (only necessary if metadata has already been uploaded with the same ID)


SPs are automatically classified as 'internal' or 'external', based on the hostnames used in the various service endpoint URLs in the metadata. Internal sites (those that exclusively use hostnames ending .cam.ac.uk) automatically get access to the extended attribute information available to SP operated by the University. External sites (all the rest) don't automatically get access to this extra information. This automatic classification can be administratively overridden in appropriate cases on application to Raven Support.

How we control access to these SP registrations is simple. The person who initially registers an SP automatically becomes an 'authorised user' with permission to subsequently modify or delete this registration. Users will see a list of the registrations that they are responsible for on the front page of the administration site.

Authorised users can add and remove further authorised users - every registration should have several current authorised users to guard against administrators leaving the University, being temporally unavailable, etc. The one limitation is that an authorised user can't remove themselves - they have to get another authorised users to do this for them. This helps to guard against changes that can't easily be undone.

Changes made on the administration site should be reflected on the the Raven IdP in around a minute.

SPs with no current authorised users and no working contact addresses may be de-registered without notice.

The aggregated UCam Federation metadata file is available at http://shib.raven.cam.ac.uk/ucamfederation-sp-metadata.xml.


Register in the 'UK federation'

The UK federation provides federation services to the UK education sector. Members include universities, colleges and schools in the UK, and their suppliers. The University of Cambridge is a member of the UK federation and contact with it is managed by Management Liaison contacts forming part of Raven Support. The University can register SPs in the federation and such SPs can interwork with IdPs in peer organisations, opening up the possibility of authenticating people elsewhere in UK education to web sites in Cambridge.

Membership of the UK federation is subject to the Rules of membership for the federation which the University has accepted. Operators of SPs within the University must agree that their SPs will be operated within the rules before their SP can be registered in it.

The UK federation has more restrictive requirements than the Ucam federation. In particular it requires that the SP supports https:, at least for access to the various URL's used internally by Shibboleth. See SSL, certificates and security with Shibboleth for more information.

Instructions on configuring an SP to work within the federation are available at

 http://www.ukfederation.org.uk/content/Documents/Setup2SP

Once configured with the correct certificate installed, the person taking responsibility for operating the web site should send an email to raven-support@ucs.cam.ac.uk (not direct to the federation) containing the following:

  • A clear statement that registration in the UK federation is being requested
  • An undertaking to abide by the Federation Rules

and all the information listed towards the bottom of

 http://www.ukfederation.org.uk/content/Documents/Register2SP

See SP Metadata for information on generating metadata.

Raven Support will contact the sender of the request and any additional addresses specified once the application has been accepted by the UK federation and the corresponding metadata published.

The Raven IdP loads metadata for all UK federation SPs. There is no value, and some potential problems, in registering an SP in both the Ucam and UK federations. Administrators are advised to remove the Ucam federation registration for any site that they subsequently register in the UK federation once the site appears in the UK federation metadata file.

The aggregate UK federation metadata file is available at http://metadata.ukfederation.org.uk/ukfederation-metadata.xml (see UK federation Operational Information for more information). Caution: LARGE!

Register in some other federation

Other federations exist, in particular InCommon that provides similar facilities in the USA to those provided by the UK federation here. The University is not at present a member of any other federations and this may (depending on the relevant federation rules) prevent University SPs from being registered in them.

If a University SP needs to register in any such federations and action is needed centrally by the University to make this happen then the person responsible for the site should contact raven-support@ucs.cam.ac.uk in the first instance. The process of joining a federation can be protracted involving as it does legally-binding contracts that have to be considered in detail, so as much notice as possible needs to be given. SP operators must accept that in some cases it may be impossible for the University to join some federations and that it may therefore be impossible to register their SP in them - SP operators are urged not to commit themselves to membership before they confirm if it is actually possible.

Inter-working with arbitrary IdPs

It is entirely possible for an SP to arrange to inter-work with one or more IdPs that are not part of any recognised federation, either instead of registering with recognised federations or alongside doing so. This is will involve coming to agreements with each IdP on Data Protection and other administrative issues, and then collecting and loading metadata describing each IdP into your SP. Instructions for doing this are beyond the scope of this document, but Raven Support may be able to advise.