Versions Compared

Old Version 15

changes.mady.by.user Paul Caskey (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Drew Aschenbrener

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For federated Identity Providers to interact with Internet2 Identity Services, It will require the Identity Provider to be configured as shown in the 'Service Details' section below. This will automatically happen if the Identity Provider is supporting the Research & Scholarship category.


We support the SAML2 deployment profile for federation interoperability from Kantara, described here: https://kantarainitiative.github.io/SAMLprofiles/saml2int.html.

Identity Services SP Service Details

SAML EntityID: https://login.at.internet2.edu/Saml2/proxy_saml2_backend.xml

Friendly NameSAML Attribute NameRequired?
eduPersonPrincipalName (ePPN)urn:oid:1.3.6.1.4.1.5923.1.1.1.6Yes
mailurn:oid:0.9.2342.19200300.100.1.3Yes
displayNameurn:oid:2.16.840.1.113730.3.1.241Yes*
givenNameurn:oid:2.5.4.42Yes*
sn (surname)urn:oid:2.5.4.4Yes*
affiliation (scoped)urn:oid:1.3.6.1.4.1.5923.1.1.1.9No

NOTE: This service requires signed responses and will reject assertions where only the assertion itself is signed. This is to help mitigate against signature wrapping attacks and is in compliance with the "SAML V2.0 Implementation Profile for Federation Interoperability" standard published here (specification IIP-SP13).
* Some form of name must be sent. The displayName attribute will be used if it is sent. Otherwise, givenName and sn must be sent and will be concatenated to form the 'Name'.

Is your organization in the federation?

You can look up your home organization here to see what its current status is. It will need to have the 'Federation' tag for this integration to work.
You can learn more about joining the InCommon Federation here.

The Internet2 wiki is moving on August 6, 2018.

Internet2 is transitioning its Confluence wiki from spaces.at.internet2.edu to spaces.at.internet2.edu. This is more than just a domain name change. The new instance will use a new registry and permissions management system, so all users will have a new record in this system. This wiki transition is part of a larger project that will allow working group chairs and others to manage resources and permissions. We’re using Grouper and COmanage to manage access to the wiki and email lists.

Gliffy Diagram
nameRSsupport
pagePin5

See What You are Releasing

If you'd like to see the attributes the Collaboration Platform Identity Services is receiving from your Identity Provider, use this page to choose your identity provider and you will be directed to a page showing that information.

Sign your responses

Ensure that, when it responds, your IdP is signing the response and not the assertion.  This is in accordance with specification IIP-SP13 in the "SAML V2.0 Implementation Profile for Federation Interoperability" document located here.

Update Your Attribute Release Policy

You may need to update your attribute release policy to include the new wiki: spaces.at.internet2.edu.

If you are not in a position to adopt R&S, logging into spaces.at.internet2.edu requires an identifier: eduPersonPrincipalName (ePPN). It will ease your users' onboarding and access if you also release displayName, givenName+sn, and email address via the mail attribute. Also, the entityID of the new wiki platform is https://login.at.internet2.edu/Saml2/proxy_saml2_backend.xml.

Research & Scholarship

...

This service uses Research & Scholarship entity category.


We encourage you to take this opportunity to support the Research & Scholarship (R&S) entity category and release the associated basic set of attributes. When you support R&S, you release the attribute bundle to the entire category of Service Providers (which are vetted by InCommon or one of our sister federations that are part of eduGAIN - you can see a list here). Releasing R&S to the new spaces.at.internet2.edu means your faculty and staff should have seamless access to the new wiki address and their associated permissions.Note that the list of R&S Service Providers includes a number of collaboration tools. Even if your campus is not research-focused, you may have faculty and staff that need access to these services.

The R&S attribute bundle includes the following required data elements.

...

For more information, see item #5 on the R&S entity category description

...

There is a wiki page that provides detailed information and instructions on how to configure your IdP to release the R&S attributes to all R&S Service Providers.

Troubleshooting

  • If you are receiving an error, "opensaml::FatalProfileException", this is regularly caused by a few issues.
    • It can be caused by the IdP not signing the SAML responses. Please refer to the "NOTE" segment in the Identity Services SP Service Details section above. Other causes for this error are unverifiable signatures and invalidly formatted assertions.
    • It can be caused by the 'SubjectConfirmationData Address' in the '<saml:Subject>' to be set to a non IP address value.