Enabling eduGAIN login when using SAML 2.0#

The eduGAIN interfederation service connects identity federations around the world, simplifying access to content, services and resources for the global research and education community. It is based in the SAML protocol and as a Service Provider in Feide using that protocol, you can also join eduGAIN to offer your services to other home institutions all around the world.

Technical requirements#

In order for you to join eduGAIN as a Service Provider, Feide needs to publish your SAML metadata describing how to interoperate with you. This metadata will be published upstream to eduGAIN, and from there, all other member identity federations will publish your metadata downstream to their home institutions. We need therefore to receive your metadata, and you will need to pay special attention to the following:

  • The metadata you provide us with does not need to be exactly the same as you provided to Feide. It is entirely up to you, but it needs to reflect perfectly how other parties in eduGAIN can interact with your service using SAML.

  • This metadata must express your needs in terms of attributes by using the md:RequestedAttribute element defined in the SAML standard, one per each attribute you need.

  • The NameFormat for those attributes you need must be urn:oasis:names:tc:SAML:2.0:attrname-format:uri, and its Name should be expressed in such format. This is a difference compared to Feide, where we use basic names for attributes instead of OIDs. Of course, this means your Service Provider needs to be able to translate attribute names from one format to the other, or understand both at the same time.

  • Your metadata should be valid according to the metadata validator.

Additionally, you will need to handle a few things on your own. The same way we will publish your metadata upstream to eduGAIN, we also consume metadata coming from it, parse and filter it for our services in Feide. Your Service Provider must fetch eduGAIN’s metadata periodically, at least once a day, from the following URL:

https://metadata.feide.no/edugain-metadata.xml

You will also need to handle discovery yourself. Discovery is what allows your users to find their way to their home institutions in order to authenticate themselves. This is an important step in terms of usability, and you need to prepare for potentially thousands of home institutions being available to your users, and find a way to display and allow your users to select them in an accessible way. There are different solutions to this problem, but we usually recommend grouping home institutions by country and allowing the user to search by name and realm (domain). Typically, you may want to distinguish between Feide and other federations you may be already part of, and eduGAIN. The way you can handle this may depend heavily on the SAML implementation you are using, so you need to refer to its documentation to figure out what is the best approach. Feide does not offer any way to do discovery for the moment.

Once your metadata is ready, you are consuming eduGAIN’s metadata feed from the URL above, and your new discovery interface is in place, we can proceed to publish your metadata towards eduGAIN and others will be able to see it and use it to log into your service.

Optional features#

Many home institutions will simple refuse to send any attributes to you, as they don’t know you. If you would like to improve your chances to get the attributes you need, you can declare adherence to eduGAIN’s Data Protection Code of Conduct. This is a self-asserted document that states your compliance with certain good practices regarding attribute and personal data handling, and it might increase the chances that home organizations trust you and send the attributes you need. You can read more about what it implies for you as a Service Provider.

Additionally, if your service shares the common criteria described in the REFEDS Research and Scholarship Entity Category, Feide may add that to your metadata (upon request), which may also help others to trust you and release a minimal amount of required personal information. You can also read more relevant information for R&S Service Providers