Tuakiri Documentation

Adding a Service Provider to the Tuakiri Federation

Introduction

Even with Shibboleth SP installed, a Service Provider only becomes useful after registering it into a federation.

The Tuakiri federations to consider are:

  • Tuakiri: suitable for production systems only
  • Tuakiri-TEST: suitable for test and development systems

This document will cover adding a Service Provider to the Tuakiri or Tuakiri-TEST federation.

Federation Details

Federation name Tuakiri Tuakiri TEST
Metadata name tuakiri.ac.nz test.tuakiri.ac.nz
Metadata distribution point https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml
Metadata signing certificate https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem
Federation Registry URL https://registry.tuakiri.ac.nz/ https://registry.test.tuakiri.ac.nz/
Discovery Service / WAYF URL https://directory.tuakiri.ac.nz/ds/DS https://directory.test.tuakiri.ac.nz/ds/DS

Registration

Note
In order to be able to submit a registration request for a Service Provider through the Metadata Tool, it is required that you are able to log in with a Tuakiri login, either with a user account at a Tuakiri member organisation or at the Tuakiri Virtual Home.

The Tuakiri Service Desk can either provision you with an account on the Virtual Home, or perform the registration on your behalf.

Please contact Tuakiri Service Desk if you do not have a valid account with an IdP registered in the federation and/or the Tuakiri Virtual Home.

Start the registration by navigating to the Tuakiri federation management site https://registry.tuakiri.ac.nz/ (or, for Tuakiri-TEST federation, https://registry.test.tuakiri.ac.nz/).

Follow the instructions for Using the Metadata Tool.

A few special points to consider for an SP:

  1. The Metadata Tool also collects information about registered services that is used to produce the Tuakiri Service Catalogue. Part of this information is a Service URL - URL that users can use to access your service. Please record this URL in the Metadata Tool (in the ServiceInfo section) to allow your service to be included in the Service Catalogue.

  2. Requested Attributes: in the Metadata Tool, Requested Attributes are added in the AttributeConsumingService section. Please copy pre-defined attributes from the provided list.

    Note
    Persistent NameID

    Please note that with the IdPv3 upgrade, Tuakiri is moving from passing Persistent NameIDs in the eduPersonTargetedID attribute to passing them as a Persistent SAML2 NameID.  When registering a new SP requesting a persistent NameID, please request both the eduPersonTargetedID attribute (for interoperability with IdPs that have not migrated to SAML2 NameID), as well as NameID of Persistent format.  This can be done by including the SAML 2.0 Persistent NameIDFormat (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) in your SP metadata. If not sure, please get in touch with the Tuakiri Service Desk.

    Note
    eduPersonEntitlement attribute

    Please note: if intending to request the eduPersonEntitlement attribute, the attribute request will have to be augmented with the specific values requested. Please get in touch with the Tuakiri Service Desk if requesting eduPersonEntitlement.

Configuring Shibboleth SP

For full information (including setup instructions for a new install), please see Installing Shibboleth SP on RedHat based Linux

The key part of it (relevant for an already setup SP just joining Tuakiri) is:

  • Download the metadata signing certificate for the federation metadata into /etc/shibboleth:

    • For Tuakiri, run:

      wget https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O /etc/shibboleth/tuakiri-metadata-cert.pem

    • or for Tuakiri-TEST, run:

      wget https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O /etc/shibboleth/tuakiri-test-metadata-cert.pem
  • Load the federation metadata: add the following (or equivalent) section into /etc/shibboleth/shibboleth2.xml just above the sample (commented-out) MetadataProviderelement.

    • For Tuakiri add:

              <MetadataProvider type="XML" url="https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml"
                backingFilePath="metadata.tuakiri.xml" reloadInterval="7200" validate="true">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="tuakiri-metadata-cert.pem" verifyBackup="false"/>
        </MetadataProvider>

    • For Tuakiri-TEST, add instead:

              <MetadataProvider type="XML" url="https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml"
                backingFilePath="metadata.tuakiri-test.xml" reloadInterval="7200" validate="true">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="tuakiri-test-metadata-cert.pem" verifyBackup="false"/>
        </MetadataProvider>
Documentation