VI-SEEM Login integration guide for Community Managers

From VI-SEEM Wiki
Jump to: navigation, search

Overview

This wiki page contains information about integrating your identity provider with VI-SEEM Login in order to allow users in your community to access VI-SEEM e-Infrastructure resources.

SAML Identity Provider

To allow users in your community to sign into federated VI-SEEM applications, you need to connect to the VI-SEEM Login Service Provider (SP) Proxy as a SAML Identity Provider (IdP). Users of the application will be redirected to the central Discovery Service page of VI-SEEM Login where they will able to select to authenticate at your IdP. Once the user is authenticated, the VI-SEEM Login IdP Proxy will return a SAML assertion to the application containing the information returned by your IdP about the authenticated user.

Metadata registration

SAML authentication relies on the use of metadata. Both parties (you as an IdP and the VI-SEEM Login SP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages.

To exchange metadata, please send an aai@vi-seem.eu including the following information:

  1. entityID
  2. Metadata URL

The format of the exchanged metadata should be based on the XML-based SAML 2.0 specification. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 IdP software solutions (e.g., Shibboleth, SimpleSAMLphp). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority. Depending on the software you are using, the authoritative XML metadata URL for your IdP might be in the following form:

If your IdP is part of a federation, then it would make sense to send us the URL to a signed federation metadata aggregate. We can then cherry pick the appropriate entityID from that.

Our SAML metadata

Attribute release

Within the VI-SEEM environment, a user must have one persistent, non-reassignable, non-targeted, opaque, and globally unique identifier. To achieve this, VI-SEEM Login generates a eduPersonUniqueId (urn:oid:1.3.6.1.4.1.5923.1.1.1.13) attribute based on the first non-empty value from this attribute list:

  • eduPersonUniqueId
  • eduPersonPrincipalName
  • eduPersonTargetedID

As such, your IdP should release at least one of the above user identifiers.

The selected attribute value is hashed and the "vi-seem.eu" scope portion is added to the generated ePUID, e.g.:

1533001785735435@vi-seem.eu

The generated ePUID should be accompanied with a minimum set of attributes:

  • Email address (mail)
  • Display name (displayName) OR (givenName AND sn)
  • Affiliation with home organisation (eduPersonScopedAffiliation)

The VI-SEEM Login SP Proxy will attempt to retrieve these attributes from your IdP. If this is not possible, the missing user attributes will be acquired and verified through the user registration process with the VI-SEEM Person Registry .

Note that the above set of request attributes complies with the REFEDS R&S attribute bundle. Thus, if your IdP supports R&S, it is strongly encouraged to release the entire attribute bundle (both required and optional attributes).