Federation

Below the term federation is described and the difference between the SWITCHaai and AAI Test federations is explained.

A federation is a collection of organizations that agree to interoperate under a certain rule set. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.

Federation_Structure

Federations are not required for the use of Shibboleth but can facilitate exchange greatly.

SWITCH currently operates two federations: the SWITCHaai Federation in the production infrastructure and the AAI Test Federation in the test infrastructure.

SWITCHaai Federation

SWITCHaai distinguishes between Federation Members and Federation Partners.

Since personal data (the authorization attributes) gets processed within SWITCHaai, a proper legal framework is required. It is provided by the PDF Icon SWITCHaai Service Agreement (for Federation Members) and the PDF Icon AAI Federation Partner Agreement.

Policies and the legal framework of SWITCHaai are defined with the aid of the AAI Advisory Committee, which represents the interests of the Federation Members.

Technical aspects of the federation are discussed in the AAI Operations Commitee, which is composed of representatives of the Federation Members.

SWITCHaai legal and technical document repository

Technical Framework

Attributes
In order to allow interoperation of the involved systems, an Attribute Specification has been defined.
Metadata
The metadata describes Identity Providers and Resources available in SWITCHaai. SWITCH provides official SWITCHaai metadata files in XML-format and digitally signed. These files are used by Shibboleth to determine valid systems to communicate with. The metadata is generated using the Resource Registry, a tool to collect information about all Identity Providers and Resources in the federation. The Resource Registry also generates tailored Attribute Release Policy (ARP) files for each Identity Provider.
Accepted Certificate Authorities
Each host being part of SWITCHaai needs a server certificate issued by a certificate authority accepted by SWITCHaai. If you decide to use SWITCHpki, please follow the steps as described in 'How to obtain a SWITCHpki server certificate'.

Joining SWITCHaai

The procedure to become part of SWITCHaai is described on:

How to join SWITCHaai Current and future SWITCHaai participants

AAI Test Federation

Members

As the name implies, this federation is for test and development purposes. There are no formal requirements to participate in the AAI Test Federation. However, it does not provide any trust or security whatsoever.

User Data

For data protection and security reasons it is not recommended to have real users in the AAI Test federation.

Technical Framework

Attributes
The same Attribute Specification is valid for the AAI Test Federation as for the production SWITCHaai Federation.
Metadata
As for the SWITCHaai Federation, SWITCH provides up to data metadata files that were directly generated using the Resource Registry.
Accepted CAs
The set of CAs accepted comprises those accepted for SWITCHaai with the addition of the AAI Test CA. It issues certificates for mere test purposes. Test certificates can only be used in the AAI Test Federation but are free and easy to get. The trust level of these test certificates is very low.
For a full list of all accepted CAs in the AAI Test federation, see the certificates page.

Joining AAI Test Federation

Since the AAI Test Federation is not a production Federation there are no formal requirements to join. Basically, setting up a Shibboleth Identity Provider or Service Provider for the AAI Test Federation (see Technical Information page) and registering with the Resource Registry is all that is needed.