What is eduGAIN?
Every member of the Belnet R&E Federation is automatically included in eduGAIN, the transcontinental interfederation project developed by Géant (the pan-European R&E network) to benefit from services offered by other federations around the world. If you are a service provider, you can also make your organization services available to eduGAIN.
eduGAIN interconnects identity federations around the world, simplifying access to content, services and resources for the global research and education community.
eduGAIN enables the trustworthy exchange of information related to identity, authentication and authorization (AAI) by coordinating elements of the federations’ technical infrastructure and providing a policy framework that controls this information exchange.
You can have a look to the list of eduGAIN participants on the eduGAIN website here.
Admin FAQ:
What are the benefits of being part of eduGAIN?
Are IdP/SPs automatically integrated into eduGAIN?
What are the costs?
Technical FAQ
How to join?
What do I technically need to do to join eduGAIN?
How do I join eduGAIN?
How can I join eduGAIN as an IdP?
How do I join eduGAIN as an SP?
Usefuls links
Need more technical information and useful links?
How do I enable the MFA layer to strengthen the security of my authentication processes?
What are the benefits of being part of eduGAIN?
The connected federations bring benefits to their members IdPs and SPs. SPs can in turn be potentially interesting services for everyone.
Are the IdP/SPs automatically integrated into eduGAIN?
No. An explicit demand needs to be introduced to Belnet. See the eduGAIN structure diagram.
What are the costs?
Nothing! The service is free of charge for all members.
What do I technically need to do to join eduGAIN?
Mostly, you will need to add some information to your Shibboleth configuation's files.
How do I join eduGAIN?
Metadata registration practice statement Federation name: Belnet Federation Federation operator: Belnet, Belgium Federation web page: http://federation.belnet.be Date of last change: 27 March 2012 Common practices ---------------- The IdPs are Belnet's customers from R&E community, excluding a administrations and ministries of all levels. The SP are any companies that offers a service or content that fulfils the needs of Belnet's R&E community members, respecting the defined policy. All IdP and SP's administrators connect via https and authenticate via Belnet Customer's AAI system with regard to the Belnet Federation's metadata manager [1], where the original information gets checked and stored in the metadata manager's database. It is later used for generating the Belnet federation's metadata. In addition, before the federation operator publishes metadata dedicated to interfederation, an institution has first to declare that its processes are ready for interfederation. Only then will, its IdP and SP administrators be able to declare that their respective entity is also technically ready to participate in interfederation. IdP registration practices -------------------------- An IdP registering with the federation needs to be manually approved by a team member of the federation operator. Such approval requires: - a completed membership service agreement signed by an official representative(s) of the newly participating institution; - elements and attributes to be registered using use a domain name of that institution. The administrators appointed specifically by that institution will receive access to the metadata manager service where they can upload the metadata of the their IdP. After approval, the federation operator publishes and maintains the federation's metadata. Subsequent changes to these elements and attributes do not require re-approval by the federation operator. Only, administrators appointed specifically by that institution can modify the IdP specific information. For interfederation, the entity must ask the federation operator to publish it for participation in eduGAIN. SP registration practices ------------------------- Each SP must be manually approved by a team member of the federation operator in order to be registered with the federation. Such approval requires: - a completed membership service agreement signed by an official representative(s) of the newly participating service provider; - elements and attributes to be registered using a domain name of that SP. The administrators appointed specifically by that SP will then receive access to the Metadata Manager service where they can upload the metadata of the their SP. After approval, the federation operator publishes and maintains the federation's metadata. Subsequent changes to these elements and attributes do not require re-approval by the federation operator. Only, administrators appointed specifically appointed by that SP can modify the SP specific information. For interfederation, the entity must ask the federation operator to publish it for participation in eduGAIN. Practices regarding metadata modifications ------------------------------------------ In the Belnet Federation, no metadata are modified because the federation operator generates them on behalf of all entities acquired through the metadata manager service. The source for generating federation metadata is the metadata manager database. The details of a registering entity are entered by each IdP/SP administrator providing the necessary metadata. A wizard will parse provided entity metadata to check the SAML2 syntax and the required content. The IdP/SP administrator also has to supply non-technical information such as descriptions or support contacts. All technical and non-technical information is stored on a customer database. This information will be used to generates the access credentials for the metadata manager system. [1] https://federation.belnet.be/re/md-mgmt/
How can I join eduGAIN as an IdP (identity provider)?
In order to join the eduGAIN Federation:
1) Contact our Belnet Service Desk via servicedesk@belnet.be (don’t forget your acronym if you are already a customer). The Service Desk will put you in contact with our Customer Relations Team. The account manager will ask you to complete, sign and return the agreement to us.
2) You need to modify your Shibboleth IdP configuration.
2.1) In [shibboleth directory]/conf/relying-party.xml :
you need to accept to receive metadata from eduGAIN service; thus following lines like the example below need to be added:
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
...
<!-- ******* eduGAIN Federation ******* -->
<metadata:MetadataProvider id="URLMD4" xsi:type="metadata:FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://mds.edugain.org"
backingFile="/opt/shibboleth-idp/metadata/mds.edugain.org.xml" >
<!-- Using chaining filter to allow us multiple filters to be added -->
<metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Ensure the metadata has a reasonable (1 week) validity period. -->
<!-- <metadata:MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="P9D" /> -->
<!--
Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine'
to determine its trustworthiness
-->
<metadata:MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="eduGAIN.MetadataTrustEngine"
requireSignedMetadata="true" />
</metadata:MetadataFilter>
</metadata:MetadataProvider>
...A bit further in the file, following lines need to be included in order to verify the validity of the signature of the eduGAIN data :
...
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<security:TrustEngine id="eduGAIN.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="eduGAINCredentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/edugain-mds.cer</security:Certificate>
</security:Credential>
</security:TrustEngine>
...2.2) You need to download the certificate used to sign the eduGAIN's metadata:
Links is eduGAIN signing certificate to validate metadata'signature
Install it in [shibboleth directory]/credentials/ as specified in your relying-party.xml configuration.
3) in order to be fully compliant with eduGAIN requirements, you need to modify the metadata of your IdP to include following sections (to be added in the <EntityDescriptor> section :
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
Right after the <EntityDescriptor> part, the following part needs to be included:
<Extensions>
<mdrpi:RegistrationInfo registrationAuthority="http://federation.belnet.be/" registrationInstant="2012-03-27T12:00:00Z">
<mdrpi:RegistrationPolicy xml:lang="en">http://federation.belnet.be/files/Belnet-metadata-registration-practice-statement.txt</mdrpi:RegistrationPolicy>
</mdrpi:RegistrationInfo>
</Extensions>
In the <IDPSSODescriptor> part, the following needs to be present:
<Extensions>
<shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">[YOUR DOMAIN]</shibmd:Scope>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">[YOUR INSTITUTION]</mdui:DisplayName>
<mdui:Description xml:lang="en">[SMALL DESCRIPTION OF YOUR INSTITUTION]</mdui:Description>
<mdui:Logo height="16" width="16">https://anyurlwithyourlogoaccessible/yoursmalllogo.png</mdui:Logo>
<mdui:Logo height="75" width="153">https://anyurlwithyourlogoaccessible/yourbiglogo.png</mdui:Logo>
</mdui:UIInfo>
<mdui:DiscoHints xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:IPHint>[the IPv4 range you are using 193.190.x.y/mm</mdui:IPHint>
<mdui:IPHint>2001:6a8:[your IPV6 range]::/64</mdui:IPHint>
<mdui:DomainHint>[YOUR DOMAIN]</mdui:DomainHint>
<mdui:GeolocationHint>[YOUR GEO COORDINATES in format like geo:50.825312,4.365471]</mdui:GeolocationHint>
</mdui:DiscoHints>
</Extensions>
The mdui: Logo is not mandatory, but it is appealing when displayed in the discovery service of eduGAIN, alongside the logo of your institution (this discovery service is called discojuice).
But watch out : in previous versions, we were asked to put a base64 embedded logo in the <mdui:Logo> tags, but the size of the aggregated metadata has since become larger and larger. Now the logos must be provided as an HTTPS URL; there are also some recommendations about maximum sizes (see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMDUIRecommendations for more information).
4) When we have received your letter, we will publish your metadata on the Belnet's eduGAIN list of metadata which will be integrated with the global eduGAIN metadata.
How do I join eduGAIN as an SP (service provider)?
In order to join the eduGAIN Federation, contact our Belnet Service Desk via servicedesk@belnet.be (don’t forget your acronym if you are already a customer). The Service Desk will put you in contact with our Customer Relations Team.
The account manager will ask you to complete, sign and return the agreement.
When received, we will publish your metadata in Belnet's eduGAIN list of metadata which will be integrated with the global eduGAIN metadata.
Need more technical information and useful links?
eduGAIN website
Metadata XML file - eduGAIN's Belnet participants
eduGAIN signing certificate to validate metadata'signature
How do I enable the MFA layer to strengthen the security of my authentication processes?
Check out our documentation and demo videos on our Multi Factor Authentication (MFA) FAQ page.
Find the different participating entities using the tool developed by GÉANT