Adding presentation page

git-svn-id: https://svn.geant.net/GEANT/edugain_testidp_account_manager/trunk@96 047e039d-479c-447e-8a29-aa6bf4a09bab

Adding presentation page
11050d80 · renater.salaun · ea5c39fc · 11050d80 · 11050d80
Commit 11050d80 authored 10 years ago by renater.salaun
--- a/resources/presentation.html
+++ b/resources/presentation.html
+
+<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/x
+html1/DTD/xhtml1-transitional.dtd">
+<html xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
+  
+<link rel="icon" type="image/png" href="/resources/images/favicon.png" />
+
+<!-- Foundation css -->
+<link rel="stylesheet" type="text/css" href="/resources/foundation/css/normalize.css">
+<link rel="stylesheet" type="text/css" href="/resources/foundation/css/foundation.css">
+
+<link href="/resources/jquery.steps.css" rel="stylesheet">
+<link rel="stylesheet" type="text/css" href="/resources/jquery-ui-1.11.1/jquery-ui.min.css" />
+<link rel="stylesheet" type="text/css" href="/resources/css/style.css" />
+
+<script type="text/javascript" src="/resources/jquery-1.11.1.min.js"></script>
+<script type="text/javascript" src="/resources/jquery-ui-1.11.1/jquery-ui.min.js"></script>
+<script type="text/javascript" src="/resources/jquery.validate.1.13.0.min.js"></script>
+<script type="text/javascript" src="/resources/jquery.cookie-1.4.1.min.js"></script>
+<script type="text/javascript" src="/resources/jquery.steps.1.1.0.min.js"></script>
+
+<SCRIPT TYPE="text/javascript"> 
+<!--
+
+  // To confirm on a link (A HREF)
+  function request_confirm_link(my_url, my_message) {
+    question = confirm(my_message);
+    if (question !="0") {
+         top.location = my_url;
+    }
+  }
+
+function showhide(div){
+    var oDiv = document.getElementById(div);
+    if(oDiv.style.display == "none"){
+        oDiv.style.display = "block";
+    }else{
+        oDiv.style.display = "none";
+    }
+}
+
+function hide(div) {
+    var oDiv = document.getElementById(div);
+    oDiv.style.display = "none";
+}
+
+jQuery(function($){
+
+    $.widget( "custom.combobox", {
+        _create: function() {
+            this.wrapper = $( "<span>" )
+            .addClass( "custom-combobox" )
+            .insertAfter( this.element );
+
+            this.element.hide();
+            this._createAutocomplete();
+            this._createShowAllButton();
+        },
+
+        _createAutocomplete: function() {
+            var selected = this.element.children( ":selected" ),
+                value = selected.val() ? selected.text() : "";
+
+            this.input = $( "<input>" )
+                .appendTo( this.wrapper )
+                .val( value )
+                .attr( "title", "" )
+                .addClass( "custom-combobox-input ui-widget ui-widget-content ui-state-default ui-corner-left error required" )
+                .autocomplete({
+                    delay: 0,
+                    minLength: 0,
+                    source: $.proxy( this, "_source" )
+                })
+                .tooltip({
+                    tooltipClass: "ui-state-highlight"
+            });
+
+            this._on( this.input, {
+                autocompleteselect: function( event, ui ) {
+                    ui.item.option.selected = true;
+                    this._trigger( "select", event, {
+                        item: ui.item.option
+                    });
+                },
+ 
+                autocompletechange: "_removeIfInvalid"
+            });
+        },
+
+        _createShowAllButton: function() {
+            var input = this.input,
+            wasOpen = false;
+    
+            $( "<a>" )
+                .attr( "tabIndex", -1 )
+                .attr( "title", "Show All Items" )
+                .tooltip()
+                .appendTo( this.wrapper )
+                .button({
+                    icons: {
+                        primary: "ui-icon-triangle-1-s"
+                    },
+                    text: false
+                })
+                .removeClass( "ui-corner-all" )
+                .addClass( "custom-combobox-toggle ui-corner-right" )
+                .mousedown(function() {
+                    wasOpen = input.autocomplete( "widget" ).is( ":visible" );
+                })
+                .click(function() {
+                    input.focus();
+            
+                    // Close if already visible
+                    if ( wasOpen ) {
+                    return;
+                    }
+            
+                    // Pass empty string as value to search for, displaying all results
+                    input.autocomplete( "search", "" );
+                });
+        },
+        
+        _source: function( request, response ) {
+            var matcher = new RegExp( $.ui.autocomplete.escapeRegex(request.term), "i" );
+            response( this.element.children( "option" ).map(function() {
+                var text = $( this ).text();
+                if ( this.value && ( !request.term || matcher.test(text) ) )
+                    return {
+                        label: text,
+                        value: text,
+                        option: this
+                    };
+            }) );
+        },
+        
+        _removeIfInvalid: function( event, ui ) {
+ 
+            // Selected an item, nothing to do
+            if ( ui.item ) {
+                return;
+            }
+
+            // Search for a match (case-insensitive)
+            var value = this.input.val(),
+                valueLowerCase = value.toLowerCase(),
+                valid = false;
+            this.element.children( "option" ).each(function() {
+                if ( $( this ).text().toLowerCase() === valueLowerCase ) {
+                    this.selected = valid = true;
+                    return false;
+                }
+            });
+            
+            // Found a match, nothing to do
+            if ( valid ) {
+                return;
+            }
+            
+            // Remove invalid value
+            this.input
+                .val( "" )
+                .attr( "title", value + " didn't match any item" )
+                .tooltip( "open" );
+            this.element.val( "" );
+            this._delay(function() {
+                this.input.tooltip( "close" ).attr( "title", "" );
+            }, 2500 );
+            this.input.autocomplete( "instance" ).term = "";
+        },
+
+        _destroy: function() {
+            this.wrapper.remove();
+            this.element.show();
+        }
+    });
+});
+
+//-->      
+</SCRIPT>
+
+
+<title>Learn more about eduGAIN Access Check </title>
+
+</head>
+
+<body>
+<div id="header">
+	<ul>
+		<li class="logo align-left"><a href="/accountmanager" title="eduGAIN Access Check home page"><img alt="eduGAIN logo" width="200" src="/resources/images/edugain_logo.png "/></a></li>
+		<li>&nbsp;</li>
+		<li class="logo align-right"><a href="http://www.geant.net" title="Géant home page" target="_blank"><img alt="GEANT logo" width="100" src="/resources/images/geant_logo_rgb_300dpi.jpg"/></a></li>
+	</ul>
+	<div class="title">
+		<span class="hide-for-small"><h1>Learn more about eduGAIN Access Check</h1></span>
+	</div>
+</div>
+
+
+<div id="wrapper">
+ 
+	<!--<div id="bandeau">
+		<div class="logo">
+			<img alt="GEANT logo" width="150" src="/resources/geant_logo_rgb_300dpi.jpg"/>
+		</div>
+	</div>-->     
+
+  <div id="content">
+
+
+
+
+ <!-- notifications -->
+
+
+
+
+ 
+  <script type="text/javascript">
+
+$(function() {
+    
+    $('#start_testing').on('click',function() {
+        window.location.href='https://dev-edugain.renater.fr/accountmanager?action=account_wizard';
+    });
+});
+
+</script>
+
+
+<div class="row">
+  
+<h2>What for?</h2>
+In their daily lives federation operators and eduGAIN experts are frequently asked,
+how access to a production federated service can be tested. A simple login test to a federated service requires a federated account at an
+organisation that is part of the federation/eduGAIN. However, on one hand commercial service operators normally don't have and normally
+don't received federated accounts in a national federation and eduGAIN. On the other hand, even if they had a single account of their
+own or if they asked a real-world user to test, this would not be sufficient to thouroughly test federated login with multiple identities
+and different sets of attributes.
+<br/><br/>
+Setting up an own Identity Provider and configuring it with their SP would be ideal but is non-trivial and therefore
+in most cases too much effort. Using self-registration IdPs (e.g. <a href="https://openidp.feide.no/">https://openidp.feide.no/</a>)
+and configuring them bilaterally with their SP might be sufficient for development but as these IdPs are not part of eduGAIN,
+they don't allow federated login under real conditions from an eduGAIN IdP. Also, self-registration IdPs usually don't allow
+certain attributes (e.g. affiliation) to be set.
+<br/><br/>
+The eduGAIN Access Check solves most of the above-mentioned problems because it provides SP operators an easy way to test
+federated login on their eduGAIN service with test identities that have different attribute profiles.
+
+<h2>Benefits of the eduGAIN Access Check</h2> 
+  
+The eduGAIN Access Check allows SP administrators to ensure proper functioning of their services within eduGAIN.
+It is especially useful for services not hosted by an R&E institution, because they can't use their own IdP to login
+and test their production eduGAIN-enabled service. Setting up an IdP on their own would require considerable efforts on their part.
+<br/><br/>
+The eduGAIN Access Check provides realistic user profiles (e.g. including non-ascii characters, typical attributes) to help SP
+administrators to improve and adapt their eduGAIN-enabled services to the constraints of variable attribute release in an
+international context. In particular, the eduGAIN Access Check makes the SP operators aware that 1) different eduGAIN IdPs will
+release varying set of attributes 2) the vocabulary and semantics of some attributes (i.e. eduPersonAffiliation) differ from federation to federation.
+<br/><br/>
+SAML2 entity categories (GÉANT Data Protection Code of Conduct, REFEDS Research & Scholarship) support for attribute
+release management is a non-trivial concept within eduGAIN. The eduGAIN Access Check releases a reasonable set of attributes
+to SPs, depending on the entity categories they belong to. This should encourage SP administrators to follow the eduGAIN guidelines
+and facilitate the use of entity categories.
+
+<h2>Frequently asked questions</h2>
+      
+<h3>I run a SAML-enabled service. How can I use the eduGAIN Access Check?</h3>  
+  
+Your Service Provider first needs to be registered in eduGAIN metadata. Therefore you should contact your nearest federation operators (<a href="http://edugain.org/technical/status.php">check the list
+of eduGAIN participating federations</a>) to find out about the local process to join eduGAIN.
+<br/><br/>
+Once your SP metadata get included into eduGAIN's, <a href="/accountmanager?action=account_wizard">you can start the test accounts creation process</a>.
+Before you obtain these test accounts, we'll need to ensure you are a legitimate administrator of your SP. This is achieved via an email challenge.
+<br/><br/>
+You can then initiate a login at your SP. You will select "eduGAIN Access Check" as your Identity Provider and use the credentials of one provided test account.
+Once authenticated, the eduGAIN Access Check IdP will send your SP realistic sets of user attributes to help you validate your service behaves as expected.
+  
+<h3>How long can I use the eduGAIN Access Check test accounts?</h3>
+  
+Test accounts expire automatically after a few days. However you can ask for new test accounts, via the same process, if you still need it.
+
+  
+<h3>How can I provide the eduGAIN Access Check within my federation?</h3>
+
+The code of the eduGAIN Access Check Account manager is published as open source. It's available at:
+<a href="svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager">svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager</a>. You can install it to
+run you own instance of the service.
+<br/><br/>
+If national federations don't want to have their own service but still have the test idp in their federation for anybody,
+they could ask and request for that, in which case the eduGAIN Access Check then would also load the federation metadata
+of that federation in addition to eduGAIN. The national federation then would have to add the eduGAIN Access Check IdP on their own to their local federation.
+
+<h3>How does this identity provider compare with test identity providers and guest identity providers?</h3>
+Test identity providers provide test accounts, with well-known accounts credentials. If such a test IdP is registered
+in eduGAIN, it allows access to any registered SP, through these test accounts, unless the test IdP is white-listed,
+either at the SP level or at national federation level. 
+<br/><br/>
+Guest identity providers provide user account to users who don't/can't have an account at an institutional IdP.
+These guest IdP rely on mail address verification (based on a challenge for instance) as a provisioning method.
+This type of IdP provides a poor user profile (name, email, user identifier) and cannot release user attributes carrying privileges.
+It is not recommended to register these IdPs in eduGAIN.
+<br/><br/>
+
+Unlike a test IdP, eduGAIN Access Check test accounts credentials are provided to the requestor only.<br/>
+Unlike a guest IdP, duGAIN Access Check test accounts creation is a restricted feature; you need to proove you are admin of an eduGAIN production SP to use it.<br/>
+Unlike a standard IdP, duGAIN Access Check test accounts can be used to access a single SP. If you request test accounts
+as admin of SP A; these test accounts won't allow login if the client SP is not SP A.
+      
+<h3>What prevents this identity provider to be used to impersonate real eduGAIN users?</h3>
+
+Test accounts by the eduGAIN Access Check have a hard-coded domain set to "@access-check.edugain.org" that cannot be customized.
+The eduGAIN Access Check will have the scope "access-check.edugain.org" in its published metadata. Therefore, an SP with enabled scope
+check would not accept any eduPersonPrincipalName with a different scope than this.
+<br/><br/>
+The creation of eduGAIN Access Check test accounts is limited to administrators of an SP published in eduGAIN metadata. The SP admin validation process
+relies on a standard email challenge sent to the declared technical contacts in the SP's official metadata.
+<br/><br/>
+Test identities can be used exclusively to access a single SP (the one of the verified SP admin). Authentication requests for other SPs are rejected.
+
+
+
+</div>
+
+ 
+
+
+
+
+ <!-- IF errors -->
+
+<p>
+
+
+
+		<div>
+
+<div id="footer">
+	<div class="row align-center">
+	<span>eduGAIN Access Check</span>
+	</div>
+</div>
+		</div>
+	</div>
+</div>
+
+            <script src="/resources/foundation/js/foundation.min.js"></script>
+			<script src="/resources/foundation/js/foundation/foundation.tooltip.js"></script>
+            <script>
+                $(document).foundation();
+            </script>   
+
+
+</div>
+</body>
+</html>
--- a/templates/web/home.tt2.html
+++ b/templates/web/home.tt2.html
@@ -15,7 +15,7 @@ $(function() {
 <p>[% conf.app_name %] allows administrators of a Service
 Provider (SP) registered in <a href="http://www.geant.net/service/eduGAIN/Pages/home.aspx">eduGAIN</a> to create test
 accounts with different profiles to validate the behaviour and test
-federated login. The test accounts can only be used to access own services.
+federated login. The test accounts can only be used to access own services. <a href="/resources/presentation.html">Learn more about this service...</a>
 </p>
 <h3>Start testing your eduGAIN service</h3>
 <p>