Metadata Registration Practice Statement for Feide#
Version 1.0.2, last edited November 5th 2021.
Practices on Identity Provider Registration#
Feide operates a single Identity Provider on behalf of educational and research institutions in Norway. The Feide operational team manually maintains the metadata entry for this Identity Provider.
Users of the Feide Identity Provider select which institution to login on during the login process. Feide operates a opt-in model for institutions, where the institution must explicitly agree to accept eduGAIN connectivity before users are allowed to login through a given institution for any Service Provider within eduGAIN.
Before new institutions are connected to the eduGAIN through Feide Identity Provider, the following requirements must be fulfilled:
Institution sends a request to join Feide.
Institution fills out a registration form on the technical connectivity, user storage and user registration practices.
Institution signs the Feide Contract Part I and Part II, and sends it to Feide by postal mail.
Feide validates the gather information, and may inspect the user storage to review if requirements are fulfilled, before accepting the institution to be connected.
Institution explicitly requests to connect to eduGAIN services through the Feide Customer Portal.
Practices on Service Provider Registration#
Feide will only expose Service Providers to eduGAIN that are official services connected to the Feide federation production environment.
For a Service Provider to join the Feide federation, the following requirements must be met:
The Service provider must accept the terms and conditions in customer portal in order to publish a service.
The Service Provider must perform a technical test using the Feide Test Environment.
The Service Provider must fill out a registration form with necessary information about the service, including contact persons and attribute requirements.
The Service Provider provides SAML metadata to Feide.
Feide validates the provider information, including the attribute requirements, before accepting the Service Provider into the production environment.
Before the Service Provider is exposed to eduGAIN, the Service Provider also must fulfill these requirements:
The Service Provider must explicitly request to connect to eduGAIN through Feide.
Feide makes a sanity check that the setup is technically sound, and that the Service Provider consumes the eduGAIN metadata.
The metadata provided by the Service Provider will be manually processed by the Feide operational team, before being re-published through eduGAIN. For the Service Provider to make updates to the metadata entry, it must contact the Feide Helpdesk.
Feide Metadata Aggregate#
Feide maintains an aggregate of all metadata it exposes to eduGAIN:
The metadata document signature can be validated using the following X.509 certificate:
-----BEGIN CERTIFICATE-----
MIIEaDCCA1CgAwIBAgIJAIqK28Ft/k4fMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV
BAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhlaW0xEjAQBgNVBAcTCVRyb25kaGVpbTEQ
MA4GA1UEChMHVU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxJjAkBgNVBAMTHW1ldGFk
YXRhLXNpZ25pbmcta2V5LmZlaWRlLm5vMB4XDTExMDUwNTA2MTM0MVoXDTIxMDUw
NDA2MTM0MVowfzELMAkGA1UEBhMCTk8xEjAQBgNVBAgTCVRyb25kaGVpbTESMBAG
A1UEBxMJVHJvbmRoZWltMRAwDgYDVQQKEwdVTklORVRUMQ4wDAYDVQQLEwVGZWlk
ZTEmMCQGA1UEAxMdbWV0YWRhdGEtc2lnbmluZy1rZXkuZmVpZGUubm8wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcKU4nXnyAnpV1ze7gPstxWOiG9CnC
lT40n6ahOQNzp/RVhSHvr44YU5+hjKUYyEDKIfth94d3Zso/ytDieVcTaMKlvJLC
rormiVIlcg/yQiXyAJSppScich/m1shUuOSiCWuO9wYF6IkIFXTT+kCTi8++s+iW
XG8brorsyiTW5ztU4PUZ+ZyrWowbKl6DMybI5C9djbkgqeRgbJeTen8JGASS0Ezp
YmuyHgmvy69X0cMr5a6fY2/f+bApiP/oPjr4AuoSASka4QQ8Fn0zWQfcIGAX+1iQ
nbkpzaurz5YRfB06PjPrpYpobJ011tDrJqggxLxPB4AqZSSW1pCLI8DvAgMBAAGj
geYwgeMwHQYDVR0OBBYEFAaysDNeH7PDb9Qoq7Jdm3D9gKbcMIGzBgNVHSMEgasw
gaiAFAaysDNeH7PDb9Qoq7Jdm3D9gKbcoYGEpIGBMH8xCzAJBgNVBAYTAk5PMRIw
EAYDVQQIEwlUcm9uZGhlaW0xEjAQBgNVBAcTCVRyb25kaGVpbTEQMA4GA1UEChMH
VU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxJjAkBgNVBAMTHW1ldGFkYXRhLXNpZ25p
bmcta2V5LmZlaWRlLm5vggkAiorbwW3+Th8wDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOCAQEANcTJpNAeWg5R4PBBVvwNjCcpTCaMqpAXgNJMSCLIQrBHAQuT
M/3dMJeUzo303erIpOsX9gJdhvKq/Ii8hF4/+J7aQZMg1E9yLU5P6/zUqS22vpAe
DfVyIe38gTS3u67m3wSVjfp0THqIS7y6m+ID3KpeKFtdo1rSLFQBch/l+NivfIoU
VVEZWWGHtxMSC9PM+x655f29wxVyAe74c+585nM62FUCUXGtli1B81GU2i/g7ADa
Bv6Pp8GAajBToziaxSSsB0hmn6z0dxW1QsDlBKwPGr4e6BdRqnzqpUu5UPPVj4Z3
kUuV9JExHe7FRwcfxWcy3jyPpm2AUJmrHtYDFw==
-----END CERTIFICATE-----