Below, the term federation is described and the difference between the SWITCHaai and AAI Test federations is explained.
A federation is a collection of organizations that agree to interoperate under a certain rule set. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.
Federations are not required for the use of Shibboleth but can facilitate exchange greatly.
SWITCH currently operates two federations: the SWITCHaai Federation in the production infrastructure and the AAI Test Federation in the test infrastructure.
Since personal data (the attributes) gets processed within SWITCHaai, a proper legal framework is required. It is provided by the SWITCHaai Service Description and its related documents.
Policies and the legal framework of SWITCHaai are defined with the aid of the AAI Advisory Committee, which represents the interests of the SWITCHaai Participants from the SWITCH Community.
Technical aspects of the federation are discussed in the AAI Community Group, which is composed of representatives of SWITCHaai Participants from the SWITCH Community.
- In order to allow interoperation of the involved systems, an Attribute Specification has been defined.
- The metadata describes Identity Providers and Resources available in SWITCHaai. SWITCH provides official SWITCHaai metadata files in XML-format and digitally signed. These files are used by Shibboleth to determine valid systems to communicate with. The metadata is generated using the Resource Registry, a tool to collect information about all Identity Providers and Resources in the federation. The Resource Registry also generates tailored Attribute Release Policy (ARP) files for each Identity Provider.
- Accepted Certificates
- Each host being part of SWITCHaai needs for the SAML communication a certificate according to the SWITCHaai Certificate Acceptance Policy. If you decide to use SWITCHpki, please follow the steps as described in 'How to obtain a SWITCHpki server certificate'.
The procedure to become part of SWITCHaai is described on:
AAI Test Federation
As the name implies, this federation is for test and development purposes. There are no formal requirements to participate in the AAI Test Federation. However, it does not provide any trust or security whatsoever.
For data protection and security reasons it is not recommended to have real users in the AAI Test federation.
- The same Attribute Specification is valid for the AAI Test Federation as for the production SWITCHaai Federation.
- As for the SWITCHaai Federation, SWITCH provides up to data metadata files that were directly generated using the Resource Registry.
Joining AAI Test Federation
Since the AAI Test Federation is not a production Federation there are no formal requirements to join. On the other hand it is intended for tests with the goal to later join the production federation with a production IdP or SP. Basically, setting up a Shibboleth Identity Provider or Service Provider for the AAI Test Federation (see Technical Information page) and registering with the Resource Registry is all that is needed.
If you do not intend to later join the production SWITCHaai Federation, better turn to TestShib to test your SAML IdP or SP setup.