Skip to Content

Identity Provider Integration Guide

Identity Provider Integration.
Connecting an organisations authoritative credential store to the federation will require the deployment of an Identity Provider Service. Typically the authoritative credential store will be the the organisations staff directory or the campus staff/student directory, but for those organisations who have a campus-only (or enterprise) Single-Sign-On (SSO) solution or standard authentication scheme, integrating the identity provider solution with the organisations current solution may extend the current solutions benefits beyond the campus. This guide will focus on the integration of the identity provider service with the organisations directory, and explain how the identity provider service can be used to provide SSO beyond the traditional boundary of the organisation.
Selecting the identity provider software.
Institutions will have a choice of open source or commercial identity provider software.

  • Commercial Software.
    There are a number of commercial identity provider software offerings on the market, here are some of the more well known products.
    1. Oracle Identity Federation 2. Tivoli Federated Access Manager 3. PingFederate 4. Microsoft Active Directory Federation Services. 6. Eduserv Athens LA
    In the case of any of the above products, or any other product, the vendor should be able to provide a statement on how compliant the product is with the SAML2 Interoperable Profile. Another significant concern when selecting identity provider software is how the software handles remotely hosted SAML2 federation metadata that contains multiple entities and is subject to frequent updates (and how it handles XML digital signatures contained within the metadata).
    The identity provider software may need to pull user data from multiple repositories if the directory cannot fulfill the Edugate federation schema. A virtual directory service can be used an intermediary between multiple repositories and the identity provider so that the data is presented through a standard LDAP interface to the identity provider. Even if the directory contains sufficient user data, the software may need to map or transform the the current directory schema onto the federation schema. Furthermore, the software should support the SAML2 metadata 'RequestedAttribute' tags. This is because the Edugate federation metadata can be tailored for each institution so that the release of attributes can be automatically applied from the Edugate Resource Registry.
    Where a commercial offering does not support the automatic processing of;
    a) remotely hosted metadata that is frequently updated b) the SAML2 'RequestedAttribute' tag. c) digitally signed metadata verification.
    yet conforms the the SAML2 Interoperable Profile, the software may still be used provided the administrator of the software manually applies the metadata changes and attribute release policies in accordance with the Edugate membership agreement's provisions.
    Open source software
    SimpleSAMLphp and Shibboleth are two open source projects that are known to provide software compatible with the Edugate federation.
  • Shibboleth
    Shibboleth is a Java based application that requires the use of a Java web-server such as Tomcat, Jetty or other J2EE compliant web server. Shibboleth can authenticate users using it's own login form (that relies upon LDAP, a database or other JAAS authentication scheme) or it can rely upon the web-servers REMOTE_USER http header to authenticate users. HEAnet can assist organisations with the deployment of Shibboleth identity provider services and provide support assistance where problems arise with Shibboleth's processing of the Edugate metadata, Shibboleth attribute release filters generated by the Edugate Resource Registry or the federation WAYF (Discovery Service). HEAnet will also assist Shibboleth identity providers who have difficulty interoperating with any of the service providers within the federation. Further assistance and support can be obtained from the Shibboleth community or a third party.
  • SimpleSAMLphp
    SimpleSAMLphp is known to be interoperable with the Edugate federation and supports remote metadata containing digital signatures, multiple entities and the SAML2 Metadata 'RequestedAttribute' tags. The software deployment is lightweight as it is built on PHP and thus only requires PHP support from the webserver. While HEAnet have extensive experience with the SimpleSAMLphp identity provider software we cannot offer assistance or support for SimpleSAMLphp due to the numerous way this software can be configured. Support and assistance should be sought from the SimpleSAMLphp community.
  • Other open source projects.
    HEAnet does not have experience with other open source projects, but as a general rule, if the software supports remote metadata containing digital signatures, multiple entities and the SAML2 Metadata 'RequestedAttribute' tags and conforms the the SAML2 Interoperable Profile it will provide identities compatible with the federation
  • Share this
  • Printer-friendly version
  • Login to post comments
  • 5581 reads

Who is Edugate for?

Edugate provides a single access mechanism that can enable access to online resources supporting alliances, research collaboration, consortia and shared services. Now users can use the credentials issued by their institution to access Edugate enabled web-sites and benefit from a personalised and persistent experience, with privacy features that put the user in control.

  • 1291 reads

Enable users to use the campus directory credential to access Edugate enabled web sites beyond the campus boundary from anywhere, whilst protecting the campus directory from unnecessary searches and the user credentials from use on web sites beyond your control. 
 

Your patrons are individuals, not IP Addresses!
 
Enable publishers to provide users with a consistent and personalised experience regardless of their location or the device they are using.
Improve the end-user experience by providing Single-Sign-On and reducing the frequency of prompts for campus credentials.
Connect your patrons to your subscribed resources,  even where the user finds the resource without using the library.

  • 1430 reads

Restrict access to your club or society web-site to valid campus users without needing the campus IT department to provide you with access to the entire campus user database.
For student unions, Edugate enables online elections that can authenticate all students currently enrolled without needing to expose campus credentials or personal information.

Example: UL Students Union

  • 1298 reads

Provide your suppliers with a means to interact with all campus members. Whether its parking management, physical access management, catering or sports facilities, Edugate can provide a secure means to validate staff and student status. Access cards or tokens can be issued online in a self-service manner, removing the some, if not all, of the paperwork.

Example: Apcoa Parking Management

  • 1495 reads

When establishing any online service that will be used by multiple institutions, Edugate will provide a means to authorise access to the service by user, role or institution without having to issue usernames/passwords or other credentials to the users of the service.
Most research projects are collaborations and when it comes to hosting collaborative tools or sharing documents and data, Edugate enables the hosting partner to seamlessly grant access to the project content.

Example: NDLR Repository
Example: HEAR and DARE

  • 1429 reads

Campus IT managers and IT security officers are increasingly reluctant to synchronise user credentials or open up campus directory services to applications that are hosted in the cloud. Even locally hosted managed applications that require the campus credential to be processed by the application present a security risk. Edugate is built on the open SAML federated access standard that is used in the financial services, aerospace and governmant eID and provides Single-Sign-On without the risks.

e-Government
Whether it's a central or local government service that needs to validate that a student is a current student, Edugate can open up the potential for numerous e-Government services for students (e.g. Grants and Tax Credits)

e-Commerce
When offering a student discount online, relying on a campus email address leaves the offer open to abuse since many institutions offer 'email for life'. Edugate will allow you to know if a customer is a current student and which institution the customer is affiliated to.

  • 1316 reads