I am making my service available to Norwegian schools through eduGAIN – why do I only see Feide as a organization?

Since Feide is a centralized login service, the only organization that your service will see in eduGAIN is Feide itself. All Norwegian institutions will be available through Feide, and end users will be able to choose their home institution in Feide itself.

Why is my organization not in the organization drop down list?

Feide is an opt-in federation, meaning the organizations that have joined Feide need to explicitly approve the use of a service before end users can access it. If you would like to use a service, but don’t see your institution in the drop down, contact the helpdesk in your institution and ask them to activate the service, providing them with relevant information to identity it (e.g. the URL you used to access it).

Can SAML metadata be dynamically updated?

SAML metadata is static and must be updated manually in the Feide customer portal.

I am trying to add SAML Metadata for a service in the customer portal, but getting errors about invalid data. What is wrong?

If the error says ‘This element is not expected’ it is most likely because there is an XML element in the wrong place. Order is significant in the SAML metadata XML.

Ref: See section 2.3.1 in https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

What do we need to do if we change the domain name of our service?

This requires adding SAML metadata for the new domain.

What must be done when changing the certificate of our service?

There may be two certificates in use at services connected to Feide:

  1. The certificate used to secure communications to the web page (the https-certificate).

    The Feide login system never communicates directly with your service. Instead all communication goes through the end user’s web browser. This means that there is no need to make any adjustments at Feide’s end when the https-certificate changes.

  2. The certificate used in the SAML 2.0 service provider software.

    SAML 2.0 allows service providers to sign and encrypt messages. Feide does not require signed messages from service providers, and does not encrypt messages to the services. The certificate configured in the SAML 2.0 software at the service is therefore not used by Feide, and can be updated any time the service requires it.

What must be done when changing the certificate of our LDAP server?

As long as you switch to a new certificate issued by a public certificate authority, the certificate should already be installed at the Feide login service. See the certificate requirements for more details.

What is openidp.feide.no used for?

It is used only for Feide guest users. Don’t use it if not explicitly told to by the Feide support team.

Can Feide modify or tailor the attributes of a user?

Feide does not modify attributes it sends to services.

What are the Feide password requirements?

Feide has no restrictions on character sets or length of passwords.

How can I test that two-factor authentication works for my account?

You can test it here.

Where can I look LDAP error codes up for Windows based systems?

Have a look at the Microsoft documentation.

What do I as a Service Provider have to do when two organizations merge?

When two organizations merge their Feide user directories, you as a service provider will have to update any references to the users and organization at your end. This may be the Feide-ID of the user (eduPersonPrincipalName), organization numbers for schools and school owners, the realm/domain of the organization, etc.

The typical process is that the organizations merging contacts you regarding the merger. The new organization must provide you with a list of old and new user identifiers, and any other information that may change as part of the merger.

You and the new organization must then agree on a time to make the change. At that time, you must update the data in your system. At the same time, the organization changes the configuration at their end, so that new user data is sent to the service.

See the documentation for configuring the merger solution in the Feide customer portal for more details.

What must be done when a municipality changes its municipality number (kommunenummer)?

The municipality does not need to do anything. Feide only uses the municipality number during for invoicing, and we will update the municipality numbers at that time.

What must be done to change the realm (domain) of an organization?

Short answer: It is possible, but very painful.

The domain that is configured for the organization in Feide is used to identify the organization in multiple places. These include systems at Feide as well as at service provider. For this reason, it is impossible to run with both the old and the new domain during a transition period. The procedure to change domains is:

  1. Set up new user directories in parallel with the old ones for users who are changing domains.
  2. Send us connection details for the new directories, in order that we can test them.
  3. Coordinate the changeover to the new domain with the providers of all services you use. All service providers who use the Feide ID to identify users in their systems have to update these identifiers. The time to change over must be coordinated with Feide as well as with all affected service providers.
  4. At the scheduled time, the service providers update the user IDs and Feide changes the configuration.
  5. After the changeover, the old user directories may be removed.

Feide and Shibboleth

Feide and Shibboleth federations are based on the same concepts, but Shibboleth federations are somewhat different from Feide. In Shibboleth, it is common to have a mesh of IdPs and SPs, where each service that wants to integrate with a new institution must talk to the different organizations that operate IdPs.

Feide operates one central IdP. A service integrates once with this central IdP, and Feide adjusts access according to the service provider’s and home organization’s requests.

If your service already is integrated with a Shibboleth federation, you can easily integrate with Feide (or the other way around) if the following is in place:

  • Feide uses the SAML 2.0 protocol. You need to ensure that your service supports SAML 2.0, older versions are not compatible with Feide.
  • Feide requires the use of HTTPS.
  • Feide encourages single logout support.

What are the implications of the Chrome 80 SameSite cookie change?

Chrome 80 may break services connected to Feide, due to changes in how Chrome sends cookies between different sites. If you are a service provider please read the detailed information.