Deployment Information for Federation Partners

While the page on how to become a Federation Partner outlines the legal aspects of joining SWITCHaai as a Federation Partner, this page provides an overview on how to install a Shibboleth Service Provider and configure one or more Resources for SWITCHaai.

Technical steps

  1. Shibboleth Demo (optional)
    If you are not yet familiar with the principle of federated identity management, you may have a look at our AAI demo page. This usually helps people who are new to Shibboleth to understand some basics about federated identity management and how Shibboleth works.

  2. Federation Interoperability Profiles
    Checkout these two documents from Kantara. If your SAML service provider uses software implemented according to the first document and you deployed it according to the second document, interoperability with the IdPs in SWITCHaai will be no issue. Otherwise, it is unlikely that your SAML service provider will properly interoperate:
  3. Certificate
    In order to participate in SWITCHaai you need a certificate, which can be used for client authentication. SWITCH recommends to use a self-signed certificate. Most X.509 certificates used for web servers support client authentiction and can be used as well.
    For the details, check out the certificate acceptance rules.
    In case of questiions, contact the SWITCHaai Team.

  4. Data protection
    AAI Attributes are the common basis on which two communicating entities are able to share information they know to interpret identically. The resource owner's first and foremost duty regarding attributes is privacy and data protection. For user privacy only request as few attributes as needed.

    For publishers, the attributes eduPersonEntitlement in combination with the IdP's EntityID or the swissEduPersonHomeOrganization should be sufficient in most cases. The attribute eduPersonEntitlement contains the value urn:mace:dir:entitlement:common-lib-terms for all university members authorized to access licensed content from publishers.

    For other Federation Partners, if you need a user identifier please request the persistent ID. Attributes often needed to decide whether a person gets educational discount for a shop operator are the attributes swissEduPersonHomeOrganizationType and eduPersonAffiliation or eduPersonScopedAffiliation. If you have any questions regarding attributes or you think you require more attributes, please contact us.

  5. Installing a Shibboleth Service Provider (SP)
    We provide deployment guides to install Shibboleth for several platforms (Linux, Windows). These guides can be found on the Service Provider Deployment page.
    They describe how to configure a Shibboleth Service Provider for the production SWITCHaai Federation.

  6. Register Resource
    Finally, the Resource has to be registered with the Resource Registry.
    In order to register with the Resource Registry, the technical contact person should self-register a personal SWITCH edu-ID account. Further technical contact persons can self-register their own personal accounts. The first administrator can invite them all to adopt the role as resource administrator to be able to further modify the entry in the Resource Regsitry.
    Once the Resource is registered by this technical contact person and approved by the sponsoring SWITCHaai Participant from the SWITCH Community, the published metadata will contain a description of your Resource. Thus, all SWITCHaai Identity Providers will know the new Service Provider as soon as they refresh their metadata the next time. This happens once per hour.

Support

If you have any questions or problems, feel free to contact us by email aai@switch.ch.

Stay up-to-date

All administrators of Service Providers in the SWITCHaai federation are expected to subscribe to the AAI-Operations mailing list, where SWITCH is making announcements about important changes in the federation. Furthermore, it can be useful to subscribe to the Shibboleth Announce mailing list, which is used by the members of the Shibboleth Project team to announce new releases or send out security advisories.