Skip to Content

Identity Provider Integration Guide

Connecting an organisations authoritative credential store to the federation will require the deployment of an Identity Provider Service. Typically the authoritative credential store will be the organisations staff directory or the campus staff/student directory. This guide will focus on the integration of the identity provider service with the organisations directory, and explain how the identity provider service can be used to provide SSO beyond the traditional boundary of the organisation.

Selecting the identity provider platform.

Institutions will have a choice of open source or commercial identity provider software, or a hosted/managed solution.

Commercial Software.

There are a number of commercial identity provider software offerings on the market;

  1. Oracle Identity Federation (compatibility unknown)
  2. Tivoli Federated Access Manager (compatibility tested)
  3. PingFederate (compatibility unknown)
  4. Microsoft Active Directory Federation Services (compatibility tested).
  5. Eduserv OpenAthens LA (compatibility unknown)

(an extensive list of SAML IdP products is maintained at http://en.wikipedia.org/wiki/SAML-based_products_and_services)

In the case of any of the above products, or any other product, the vendor should be able to provide a statement on how compliant the product is with the SAML2 Interoperable Profile. and the OASIS SAML 2 Metadata standard (the software must be able to frequently process remotely hosted SAML2 metadata containing multiple entities,  and validate an XML digital signature).
The identity provider software may need to pull user data from multiple repositories if the directory cannot fulfil or be mapped to the Edugate federation schema. A virtual directory service can be used an intermediary between multiple repositories and the identity provider so that the data is presented through a standard LDAP interface to the identity provider. Even where the directory contains sufficient user data, the software may need to map or transform the the current directory schema onto the federation schema. Another consideration is the release of attributes over SAML to each participating service provider, if the software support the automatic release of attributes based on a presence of SAML2 metadata 'RequestedAttribute' tag in a Service Providers metadata, then this concern could be addressed as the Edugate federation metadata can be tailored for each institution so that the release of attributes can be automatically applied from the Edugate Resource Registry into the metadata feed provided by Edugate.
Where a commercial offering does not support the automatic processing of;

  • remotely hosted metadata that is frequently updated
  • the SAML2 'RequestedAttribute' tag.
  • digitally signed metadata verification.

but conforms the the SAML2 Interoperable Profile, the software may still be used provided the administrator of the software manually applies the metadata changes and attribute release policies in accordance with the Edugate membership agreement's provisions.

Open source software

SimpleSAMLphp and Shibboleth are two open source projects that are known to provide software compatible with the Edugate federation.

Shibboleth

Shibboleth is a Java based application that requires the use of a Java web-server such as Tomcat, Jetty or other J2EE compliant web server. Shibboleth can authenticate users using it's own login form (that relies upon LDAP, a database or other JAAS authentication scheme) or it can rely upon the web-servers REMOTE_USER http header to authenticate users making it easy to integrate with other authentication systems that have web-server plugins. HEAnet can assist organisations with the deployment of Shibboleth identity provider services and provide support assistance where problems arise with Shibboleth's processing of the Edugate metadata, Shibboleth attribute release filters generated by the Edugate Resource Registry or the federation WAYF (Discovery Service). HEAnet will also assist Shibboleth identity providers who have difficulty interoperating with any of the service providers within the federation. Further assistance and support can be obtained from the Shibboleth community or a third party.

SimpleSAMLphp

SimpleSAMLphp is known to be interoperable with the Edugate federation and supports remote metadata containing digital signatures, multiple entities and the SAML2 Metadata 'RequestedAttribute' tags. The software deployment is lightweight as it is built on PHP and thus only requires PHP support from the webserver. While HEAnet have extensive experience with the SimpleSAMLphp identity provider software we cannot offer assistance or support for SimpleSAMLphp due to the numerous way this software can be configured. Support and assistance should be sought from the SimpleSAMLphp community.

Hosted/Managed Solutions.

There are a number of solutions in the marketplace that offer a hosted Identity Provider. 

Organisations considering a hosted identity provider are recommended to consider the following topics when assessing a solution.

1. Account Provisioning

Some hosted identity providers offer a service where user accounts are provisioned into the vendors service, this results in users having more than one account (i.e. where one account is maintained within the organisation, and another in the vendors service). Account synchronisation between both identity stores may be offered, however it is not always possible to synchronise passwords, and where it is possible there will always be some delay in synchronising password changes. Therefore, the synchronisation schedule and synchronisation capabilities should be considered when assessing such services. While there may be solutions for the account provisioning, account decommissioning is of equal importance in order to remain in compliance with the Edugate membership rules. 

2. Access to organisations directory.

While it is possible to connect a hosted identity provider with the institutions directory service for authentication purposes, the confection security should be considered. VPN solutions or secure directory protocols (i.e.. LDAPs) as well as firewall rules should be considered to enhance the security of the confection. Another consideration is the scope of directory searches and the security of the vendors service (if the vendor is compromised, then the institutions directory service may be exposed as a result).

3. Schema compatibility

Where accounts are synchronised (1 above) or accessed remotely (2 above) it is likely that the local schema of the user repository or directory is not directly compatible with Edugate. Therefore it is a good idea to evaluate the solution or software ability to map from one local attribute to an Edugate attribute of a different name (e.g. emailaddress = mail ) or if attributes can be dynamically fulfilled using multiple attributes from the source repository givenname+firstname+@domainname = mail).

4. Jurisdiction.

As with any cloud service that handles personal data, the legal jurisdiction covering the operation of the service should be considered.

5. Auditing.

Identity Members must be capable of producing SAML messages from audit or debug logs for troubleshooting access problems (as outlined in the Edugate rules).

5. Statistics.

Statistics may or may not be desired, the following statistics should be considered;

  • What  are the top 5 services users have been accessing?
  • How many authentication?
  • How many unique users?
  • How many failed authentication?

Edugate can centrally consume anonymised statistics from the Raptor statistics collector or directly from a Shibboleth audit log.

6. Branding and Logos

The login page will be presented to your users so it is worth considering it the login page can be customised with the institutions logo and style. Also, Edugate support logo's for each participating service provider these can be displayed on the login page alongside descriptive text of the service the user is being asked to authenticate with.

7. Consent prompt

Sometimes the institution may rely on the users consent before user attributes are provided to participating service providers, therefore another consideration is the support for consent prompts displayed to the end-user.

8. Resource Registry Compatibility

Edugate metadata containing the metadata of all Edugate participants is published at http://edugate.heanet.ie, however, Edugate participants can customise the content of the metadata to include service providers that are non-members of Edugate, these are referred to as bilateral trusts (examples include; Google Apps, Office 365 or the participants own internal services). If it is expected that the identity provider solution will be used for non-Edugate services then the solution should be able to consume the customised metadata or allow for bilateral trusts to be established using the vendors solution. Vendor solutions should (ideally) be capable of consuming the Edugate metadata in an automated manner, otherwise frequent manual updates will be required.

Edugate also provides an optional service that produces a Shibboleth attribute filter policy that can be consumed by Shibboleth based identity providers. While this feature is offered as an optional service, identity providers are obliged to keep their current attribute release policy up to date in the Edugate Resource Registry, so another consideration will be the ease of keeping the policy defined in the Edugate Resource Registry synchronised with the policy defined in the vendors solution.

Who is Edugate for?

Edugate provides a single access mechanism that can enable access to online resources supporting alliances, research collaboration, consortia and shared services. Now users can use the credentials issued by their institution to access Edugate enabled web-sites and benefit from a personalised and persistent experience, with privacy features that put the user in control.

Enable users to use the campus directory credential to access Edugate enabled web sites beyond the campus boundary from anywhere, whilst protecting the campus directory from unnecessary searches and the user credentials from use on web sites beyond your control. 
 

Your patrons are individuals, not IP Addresses!
 
Enable publishers to provide users with a consistent and personalised experience regardless of their location or the device they are using.
Improve the end-user experience by providing Single-Sign-On and reducing the frequency of prompts for campus credentials.
Connect your patrons to your subscribed resources, regardless of where the user performs their search.

Restrict access to your club or society web-site to valid campus users without needing the campus IT department to provide you with access to the entire campus user database.
For student unions, Edugate enables online elections that can authenticate all students currently enrolled without needing to expose campus credentials or personal information.

Example: UL Students Union

Provide your suppliers with a means to interact with all campus members. Whether its parking management, physical access management, catering or sports facilities, Edugate can provide a secure means to validate staff and student status. Access cards or tokens can be issued online in a self-service manner, removing the some, if not all, of the paperwork.

Example: Apcoa Parking Management

When establishing any online service that will be used by multiple institutions, Edugate will provide a means to authorise access to the service by user, role or institution without having to issue usernames/passwords or other credentials to the users of the service.
Most research projects are collaborations and when it comes to hosting collaborative tools or sharing documents and data, Edugate enables the hosting partner to seamlessly grant access to the project content.

Example: NDLR Repository
Example: HEAR and DARE

Campus IT managers and IT security officers are increasingly reluctant to synchronise user credentials or open up campus directory services to applications that are hosted in the cloud. Even locally hosted managed applications that require the campus credential to be processed by the application present a security risk. Edugate is built on the open SAML federated access standard that is used in the financial services, aerospace and governmant eID and provides Single-Sign-On without the risks.

e-Government
Whether it's a central or local government service that needs to validate that a student is a current student, Edugate can open up the potential for numerous e-Government services for students (e.g. Grants and Tax Credits)

e-Commerce
When offering a student discount online, relying on a campus email address leaves the offer open to abuse since many institutions offer 'email for life'. Edugate will allow you to know if a customer is a current student and which institution the customer is affiliated to.