Skip to Content

Service Provider Integration Guide

In order to support Edugate federated access, service providers must support SAML2 access to their service, this may already be supported by the service providers web-server )(see SAML Plugins below) or web-application and/or application code must be developed to support SAML2. HEAnet can provide advice and support for organisation considering adding SAML support to their service (provided they intend to add the service to the Edugate federation).

Application support for SAML

Many of the applications used in the academic sector already support SAML either natively or using a web-server plug-in, the Shibboleth web-site maintains a list of known web applications that can be integrated with Shibboleth (as does SimpleSAMLphp).

SAML Protected Proxy
Use of a web-server proxy service such as EZproxy or mod_proxy may be sufficient where the web-server also supports a SAML plug-in, in this scenario the proxy service is protected by a SAML plug-in (Shibboleth or otherwise), when the user has authenticated via the SAML plug-in the proxy service delivers the requested content. Note however, that in most cases the proxy service may not be able to transfer any SAML user data to the requested resource and thus features such as personalisation on-the-fly, or role based authorisation would not normally be possible.

Writing Application Code

Where the web application does not already support SAML or the proxy option is not suitable, adding support for SAML through application code can be achieved by either processing web-server variables set by a SAML plug-in or by implementing SAML directly in your code.

  • Web Server Variables
    Relying upon web server variables is an option if there is a SAML plug-in (Shibboleth or otherwise) for your web-server. In this scenario the SAML plug-in acts passively by invoking SAML authentication when a specific URL is clicked and setting server variables (or headers) that are populated as a result of the authentication phase. Theses variables can then be extracted by standard application code for custom authorisation and personalisation purposes. Some applications may support the standard header variable REMOTE_USER, if your SAML Plugin can set this header it may be possible to integrate SAML into your application without any further application code.
  • SAML libraries.
    Using SAML libraries may be the only option in some scenarios, particularly if a SAML plug-in is not available or is not feasible with your web-server setup. There are a number of libraries available for each development platform.
  1. NET - OIOSAML and Microsoft's Windows Identity Foundation (latest version here) and Windows Identity Foundation v2 (beta)
  2. Java -OpenSAML , OIOSAML and OpenSSO
  3. PHP -SimpleSAMLphp and Guanxi PHP
  • SAML Plugin

There are a number of web-server plugins that can enable SAML access to the web-server, these are divided here into open source or commercial implementations
Open Source

  1. Shibboleth (for Apache/IIS/Java)
  2. CAS (for Apache)
  3. Guanxi (for Java)

Commercial

  1. Microsoft Active Directory Federation Services
  2. Ping Federate
  3. Tivoli Federated Access
  4. Oracle Identity Federation 

Using the Federation for one-time verification
Service providers may use the federation for one-time verification which allows service providers to verify the identity and/or affiliations of a user so that the provider can provision a local user account for the users of the service. This allows the service provider to retain control over the user accounts it issues and may lessen the burden of integrating federated access into the service. The same scenario can be used at a later date to reconnect users with forgotten accounts or to provide a self-service password reset feature. Service Providers should bear in mind that a second credential may lead to high attrition rates due to the inconvenience of having to login using a set of credentials that has to be remembered, particularly so when those credentials are forgotten. Service Providers that intend on using Edugate for one-time verification may find that the pseudononymous attribute 'eduPersonTargetedID' and role attribute 'eduPersonScopedAffiliation' particularly useful. Lastly, a student’s affiliation may change during the academic term and at least once a year.

Using Edugate for Single-Sign-On
Using Edugate for Single-Sign-On can remove the need for service providers to maintain user credentials whilst providing a very convenient feature to users. Service providers may be able to avoid account management entirely for federated users if they find that Edugate and its members provide sufficient data so as to enable personalisation, authorization and persistence. However, service providers are advised to maintain a second login option in the event that federated access fails unexpectedly so as not to become entirely dependent on Edugate.

WAYF/Discovery Service Considerations.
When addeing SAML support, a choice will need to be made on whether to use the Edugate central WAYF/Discovery Service or to develop similar functionality within the application code, the is essential where it likely that a user will visit your application directly rather than through a link at the users home organisation. The central WAYF should be used as a last resort and it introduces an external dependency that is not necessary, and it has a minimum style applied. Another important feature that your code should support is the automatic processing of frequent changes of digitally signed, remotely hosted metadata (as the identity providers detailsthat your application may be required to support may change frequently). 

  • Share this
  • Printer-friendly version
  • Login to post comments
  • 5851 reads

Who is Edugate for?

Edugate provides a single access mechanism that can enable access to online resources supporting alliances, research collaboration, consortia and shared services. Now users can use the credentials issued by their institution to access Edugate enabled web-sites and benefit from a personalised and persistent experience, with privacy features that put the user in control.

  • 1291 reads

Enable users to use the campus directory credential to access Edugate enabled web sites beyond the campus boundary from anywhere, whilst protecting the campus directory from unnecessary searches and the user credentials from use on web sites beyond your control. 
 

Your patrons are individuals, not IP Addresses!
 
Enable publishers to provide users with a consistent and personalised experience regardless of their location or the device they are using.
Improve the end-user experience by providing Single-Sign-On and reducing the frequency of prompts for campus credentials.
Connect your patrons to your subscribed resources,  even where the user finds the resource without using the library.

  • 1430 reads

Restrict access to your club or society web-site to valid campus users without needing the campus IT department to provide you with access to the entire campus user database.
For student unions, Edugate enables online elections that can authenticate all students currently enrolled without needing to expose campus credentials or personal information.

Example: UL Students Union

  • 1298 reads

Provide your suppliers with a means to interact with all campus members. Whether its parking management, physical access management, catering or sports facilities, Edugate can provide a secure means to validate staff and student status. Access cards or tokens can be issued online in a self-service manner, removing the some, if not all, of the paperwork.

Example: Apcoa Parking Management

  • 1495 reads

When establishing any online service that will be used by multiple institutions, Edugate will provide a means to authorise access to the service by user, role or institution without having to issue usernames/passwords or other credentials to the users of the service.
Most research projects are collaborations and when it comes to hosting collaborative tools or sharing documents and data, Edugate enables the hosting partner to seamlessly grant access to the project content.

Example: NDLR Repository
Example: HEAR and DARE

  • 1429 reads

Campus IT managers and IT security officers are increasingly reluctant to synchronise user credentials or open up campus directory services to applications that are hosted in the cloud. Even locally hosted managed applications that require the campus credential to be processed by the application present a security risk. Edugate is built on the open SAML federated access standard that is used in the financial services, aerospace and governmant eID and provides Single-Sign-On without the risks.

e-Government
Whether it's a central or local government service that needs to validate that a student is a current student, Edugate can open up the potential for numerous e-Government services for students (e.g. Grants and Tax Credits)

e-Commerce
When offering a student discount online, relying on a campus email address leaves the offer open to abuse since many institutions offer 'email for life'. Edugate will allow you to know if a customer is a current student and which institution the customer is affiliated to.

  • 1316 reads