Federation related
What is a federation?
What does a federation provide you?
What is the Belnet R&E Federation?
Technical framework related
What is the technical framework?
What systems are used to install IdP or SP softwares?
How do I install an IdP (identity provider)?
How do I install an SP (service provider)?
Need more information about Shibboleth?
How to to configure the federated login with IDP Office 365?
Need more information about SAML2?
Need more information about the metadata and the discovery service?
Need more information about the attributes?
Extensions: what is the MDUI?
Need more technical information and useful links?
Platform related
How do I upload my metadata to the platform?
How do I correct an XML code uploaded to the platform?
Where to find the Federation's global metadata?
What is a federation?
A federation is a collection of organizations that agree to interoperate under a certain rule set. A federation will generally define attributes, along with the distribution of metadata representing this information.
In general, each organization participating in a federation operates one Identity Provider for their users and a number of service providers. With a single, unique login a student or staff member can access online applications at participating organizations.
What does a federation provide you?
Without a federation, a user registers with each resource he wants to access and usually gets for each resource a new username and password pair, also known as credentials. Users and administrators get confronted with following problems:
- Too many credentials: per resource users want to access they receive a username and password.
- Complicated user registration: each resource administrator needs to register the users by himself.
A federation simplifies the processes for all parties involved:
- Simplified registration: a user only needs to register once within their organization. This 'home organisation' is responsible for user related information and provides the user with the credentials.
- Simplified administration: thanks to the single login it should be easier to streamline the administration within the organization.
- Authentication: the user's organization carries out the authentication, which can provide additional information about the user to the resource upon resource's request and user's content.
- Access control: a decision made by the resource based on the retrieved information about the user.
A federation is based upon the concept that resources rely on user authentication at the user's organization and they obtain from them information about the user for its authorization decisions.
What is the Belnet R&E Federation?
The Belnet R&E Federation brings together higher education and research institutions connected to the Belnet network on a common infrastructure to offer students and employees access to online services.
The Belnet R&E Federation offers easy and secure access to a range of services and information resources. One single login - the login from your home organization - is all you need to access internal (e.g. web site and web mail) and external resources (e.g. scientific publications, Belnet services including FileSender and Antispam ...).
What is the technical framework?
A student’s username/password combination (their credentials) used to be valid just on university or college campuses. With the advent of identity federation, the use of such credentials can be extended outside the university boundaries. The technology allows us to use our local login for outside applications. The technology does not just allow this, but it keeps everything secure and in line with privacy regulations.
Key concepts in this area are ‘service provider’ (SP) and ‘identity provider’ (IdP). It is a separation of function that is not needed inside a single organization. The middleware Shibboleth is used in order to glue it all together. The standard SAML2, the metadata and the discovery service, attributes are the other essential components of this technical framework.
You can find more information about each of them in the next questions below.
What systems are used to install IdP or SP softwares?
Two systems has used tried and tested in academic federations: Shibboleth and simpleSAMLphp. Shibboleth uses Java and Tomcat while SimpleSAMLphp is based on PHP.
Belnet has chosen the Shibboleth implementation, and, while you may use SimpleSAMLphp, we will only give support for Shibboleth.
How do I install an IdP (identity provider)?
These pages give you all the necessary information to set up your IdP:
- IdP with Shibboleth 3.1.2 on Ubuntu Linux (from version 14.04 LTS)
- Windows with ADFS: ADFS 3.0 IdP for windows2k12 in the Belnet Federation
- Windows : you can also read this useful document from KULeuven
How do I install an SP (service provider)?
The following pages will give you all the necessary information to help you set up your SP:
- Ubuntu Linux (see the PDF on SP Shibboleth Installation - Linux (Ubuntu))
- Windows (coming soon)
Need more information about Shibboleth?
The US Research Network Internet2 has been a pioneer in the area of identity federation. It has developed its own system, called Shibboleth. It is a set of software components, comprising the aptly named Shibboleth Identity Provider and Shibboleth Service Provider, as well as other central components to glue it all together. The Shibboleth components are released under an open-source licence.
The development of Shibboleth has provided good input for standardization in the area: the Oasis standard SAML2.
How to to configure the federated login with IDP Office 365?
You can download this manual: IdP with Shibboleth 4.x.y on Ubuntu/Debian with Jetty and Microsoft Azure (by Steve Colin from HECondorcet).
Need more information about SAML2?
SAML (Security Assertion Markup Language) is based on XML. It defines the structure of SAML messages exchanged between IdPs and SPs. It also defines how these messages can be transmitted over the Internet. SAML makes extensive use of XML signatures and encryption to guarantee security of the messages exchanged.
Need more information about the metadata and the discovery service?
SAML2 metadata is an XML document describing technical bits of all IdPs and SPs in the federation. Every IdP and SP needs the metadata for good operations. Without the metadata, an SP won't know how to encrypt messages sent to a given IdP. It also won't know which server is responsible for a given IdP, nor which IdPs are available in the federation. The metadata are maintained by the federation operator, Belnet.
Another service that Belnet is running to ensure good operations is the discovery service. Whenever a user is accessing a protected resource, the SP won't know at that stage which IdP the user belong to. The user will have to select their own organization from the list of available IdPs. This selection is done by the discovery service, also called WAYF (Where Are You From?). The discovery service can be standalone and generic, or it can be integrated with any given SP. Belnet is operating the standalone discovery service.
Need more information about the attributes?
Every IdP reveal some information about the user, in the form of attributes. Someone's name and birthday are attributes,as well as their affiliation with the organization. If a service provider only needs to know whether someone is a student at a particular university, then that's the only attribute that must to be released by the university's IdP.
Extensions: what is the MDUI?
The acronym stands for Metadata Extensions for User Interface (Login and Discovery). It is an extension used by IdPs and SPs, which allows various data to be used in order to extend the metadata so as to improve the interface between the IdP and the SP, but this is essentially in Discovery Service (or WAYF). In the case of our staff's IdP, Belnet stores logos, geographic coordinates and IP hints. Please find here an example of how to do this below:
<Extensions> <mdui:UIInfo> <mdui:DisplayName xml:lang="en"> Belnet </mdui:DisplayName> <mdui:Description xml:lang="en"> Belnet operates the Research and Education network for Belgium. </mdui:Description> <mdui:Logo height="16" width="16"> https://your.site.url/images/smalllogo.png </mdui:Logo> <mdui:Logo height="64" width="152"> https://your.site.url/images/biglogo.png </mdui:Logo> </mdui:UIInfo> <mdui:DiscoHints> <mdui:DomainHint>belnet.be</mdui:DomainHint> <mdui:IPHint>193.190.0.0/15</mdui:IPHint> <mdui:IPHint>2001:6a8::/32</mdui:IPHint> <mdui:GeolocationHint>geo:50.825312,4.365471</mdui:GeolocationHint> </mdui:DiscoHints> </Extensions>
As you may see, several logos can be used, which can be exploited by the interface presenting the entities. The consensus view seems to prefer logos extended in terms of width (but not too big in terms of their height).
The DiscoHint part is used to help the DiscoJuice discovery' system to locate the nearest IdP on which to log you.
Need more technical information and useful links?
Belnet R&E Federation related:
Metadata Management service (Belnet R&E Federation interface)
Belnet Federation certificate (PEM format)
Metadata XML file - official Belnet Federation
Metadata XML file - official Belnet Federation merged with eduGAIN
Shibboleth related:
Shibboleth home
IdP with Shibboleth 4.x.y on Ubuntu/Debian with Jetty and Microsoft Azure (by Steve Colin from HECondorcet)
Shibboleth IdP et SP software
IdP with Shibboleth 3.1.2 on Ubuntu (from version 14.04 LTS)
SP Shibboleth Installation - Linux (Ubuntu)
How do I upload my metadata to the platform?
In order to upload your metadata to the platform, you have 3 possibilities:
- Enter a URL from which to retrieve the metadata:
To insert a URL from which the metadata will automatically be imported on a daily basis to ensure that the downloaded data is updated regularly. Every time a new full aggregated metadata is generated, it will use the URL provided. The last valid copy will be used if this new metadata is not accessible or is invalid.
This new option is very useful for systems using Microsoft products such as ADFS, because in such applications, the certificates copied into the metadata change regularly. Using this new functionality, you will no longer have to reconnect to the platform to adapt your metadata to each certificate update.
- Upload an XML file using the "Choose file" button.
- Copy/paste and edit the metadata in the text field.
How do I correct an XML code uploaded to the platform?
Once your XML code is displayed in the "Metadata in XML format" window, errors and warnings are automatically displayed on the right. As long as errors are detected in the XML, the upload of your metadata cannot be validated. Using this function, the validation system can, to a certain extent, correct some frequent syntactic errors itself.
This XML checker also tells you if the code is correct for use in eduGAIN and gives you an example for compatibility with eduGAIN.
Where to find the Federation's global metadata?
If you want to test or configure your IDP for Federation use, you can download Belnet metadata from the 3 URLs available via "List of downloadable metadata":
- The official Federation
- The official Federation merged with eduGAIN
- The test Federation
Connect to the Belnet R&E Federation metadata manager interface