Update presentation page content by Lukas

git-svn-id: https://svn.geant.net/GEANT/edugain_testidp_account_manager/trunk@103 047e039d-479c-447e-8a29-aa6bf4a09bab

Update presentation page content by Lukas
dd9992d0 · renater.salaun · 3ced1d97 · dd9992d0
Commit dd9992d0 authored 10 years ago by renater.salaun
--- a/resources/presentation.html
+++ b/resources/presentation.html
@@ -224,7 +224,7 @@ jQuery(function($){
 $(function() {
    
    $('#start_testing').on('click',function() {
-        window.location.href='https://dev-edugain.renater.fr/accountmanager?action=account_wizard';
+        window.location.href='/accountmanager?action=account_wizard';
    });
 });

@@ -233,40 +233,60 @@ $(function() {

 <div class="row">
  
-<h2>What for?</h2>
+<h2>What is the service for?</h2>
 <p>
-In their daily lives federation operators and eduGAIN experts are frequently asked,
-how access to a production federated service can be tested. A simple login test to a federated service requires a federated account at an
-organisation that is part of the federation/eduGAIN. However, on one hand commercial service operators normally don't have and normally
-don't received federated accounts in a national federation and eduGAIN. On the other hand, even if they had a single account of their
-own or if they asked a real-world user to test, this would not be sufficient to thouroughly test federated login with multiple identities
+In their daily lives federation operators and eduGAIN experts are 
+frequently asked,
+how access to a production federated service can be tested. A simple 
+login test to a federated service requires a federated account at an
+organisation that is part of the federation/eduGAIN. However, on one 
+hand commercial service operators normally don't have and normally
+don't received federated accounts in a national federation and eduGAIN. 
+On the other hand, even if they had a single account of their
+own or if they asked a real-world user to test, this would not be 
+sufficient to thouroughly test federated login with multiple identities
 and different sets of attributes.
 </p>
 <p>
-Setting up an own Identity Provider and configuring it with their SP would be ideal but is non-trivial and therefore
+Setting up an own SAML Identity Provider (IdP) and us this to test the own IdP would be ideal but is non-trivial and therefore
 in most cases too much effort. Using self-registration IdPs (e.g. <a href="https://openidp.feide.no/">https://openidp.feide.no/</a>)
-and configuring them bilaterally with their SP might be sufficient for development but as these IdPs are not part of eduGAIN,
+and configuring them bilaterally with their Service Provider (SP) might be sufficient for development but as these IdPs are not part of eduGAIN,
 they don't allow federated login under real conditions from an eduGAIN IdP. Also, self-registration IdPs usually don't allow
 certain attributes (e.g. affiliation) to be set.
 </p><p>
-The eduGAIN Access Check solves most of the above-mentioned problems because it provides SP operators an easy way to test
-federated login on their eduGAIN service with test identities that have different attribute profiles.
+The eduGAIN Access Check solves most of the above-mentioned issues because it provides SP operators an easy way to test
+federated login for their eduGAIN service with test identities that have different attribute profiles.
 </p>

 <h2>Benefits of the eduGAIN Access Check</h2> 
 <p>  
-The eduGAIN Access Check allows SP administrators to ensure proper functioning of their services within eduGAIN.
-It is especially useful for services not hosted by an R&E institution, because they can't use their own IdP to login
-and test their production eduGAIN-enabled service. Setting up an IdP on their own would require considerable efforts on their part.
+The eduGAIN Access Check allows SP administrators to ensure proper 
+functioning of their services within eduGAIN.
+It is especially useful for services not hosted by an R&amp;E 
+institution, because they can't use their own IdP to login
+and test their production eduGAIN-enabled service. Setting up an IdP on 
+their own would require considerable efforts on their part.
 </p><p>
-The eduGAIN Access Check provides realistic user profiles (e.g. including non-ascii characters, typical attributes) to help SP
-administrators to improve and adapt their eduGAIN-enabled services to the constraints of variable attribute release in an
-international context. In particular, the eduGAIN Access Check makes the SP operators aware that 1) different eduGAIN IdPs will
-release varying set of attributes 2) the vocabulary and semantics of some attributes (i.e. eduPersonAffiliation) differ from federation to federation.
-</p><p>
-SAML2 entity categories (GÉANT Data Protection Code of Conduct, REFEDS Research & Scholarship) support for attribute
-release management is a non-trivial concept within eduGAIN. The eduGAIN Access Check releases a reasonable set of attributes
-to SPs, depending on the entity categories they belong to. This should encourage SP administrators to follow the eduGAIN guidelines
+The eduGAIN Access Check provides realistic user profiles (e.g. 
+including non-ascii characters, typical attributes) to help SP
+administrators to improve and adapt their eduGAIN-enabled services to 
+the constraints of variable attribute release in an
+international context. In particular, the eduGAIN Access Check makes the
+ SP operators aware that:
+ </p>
+ <ol>
+ <li>different eduGAIN IdPs will release varying set of attributes</li>
+ <li>the vocabulary and semantics of 
+some attributes (i.e. eduPersonAffiliation) differ from federation to 
+federation</li>
+</ol>
+<p>
+SAML2 entity categories (GÉANT Data Protection Code of Conduct, REFEDS 
+Research &amp; Scholarship) support for attribute
+release management is a non-trivial concept within eduGAIN. The eduGAIN 
+Access Check releases a reasonable set of attributes
+to SPs, depending on the entity categories they belong to. This should 
+encourage SP administrators to follow the eduGAIN guidelines
 and facilitate the use of entity categories.
 </p>

@@ -274,63 +294,79 @@ and facilitate the use of entity categories.
      
 <h3>I run a SAML-enabled service. How can I use the eduGAIN Access Check?</h3>  
 <p>
-Your Service Provider first needs to be registered in eduGAIN metadata. Therefore you should contact your nearest federation operators (<a href="http://edugain.org/technical/status.php">check the list
-of eduGAIN participating federations</a>) to find out about the local process to join eduGAIN.
+Your Service Provider first needs to be registered in eduGAIN metadata. 
+Therefore, you should contact your nearest federation operators (please have a look at the <a href="http://edugain.org/technical/status.php">list
+of eduGAIN member federations</a>) to find out about the local process to join eduGAIN.
 </p><p>
-Once your SP metadata get included into eduGAIN's, <a href="/accountmanager?action=account_wizard">you can start the test accounts creation process</a>.
-Before you obtain these test accounts, we'll need to ensure you are a legitimate administrator of your SP. This is achieved via an email challenge.
+Once your SP's metadata is included into eduGAIN, <a href="/accountmanager?action=account_wizard">you can start creating test accounts</a>.
+Before you obtain the test accounts, it is checked that you are a 
+legitimate administrator of your SP. This is achieved via an email 
+challenge sent to the contact address for the Service Provider.
 </p><p>
-You can then initiate a login at your SP. You will select "eduGAIN Access Check" as your Identity Provider and use the credentials of one provided test account.
-Once authenticated, the eduGAIN Access Check IdP will send your SP realistic sets of user attributes to help you validate your service behaves as expected.
+To use the test accounts, initiate a login at your SP. On the Discovery Service, select "eduGAIN 
+Access Check" as your Identity Provider and then use the credentials of one of the created test accounts.
+Once authenticated, the eduGAIN Access Check IdP will send your SP 
+a realistic set of user attributes. This allows you to validate that your service
+behaves as expected.
 </p>
  
 <h3>How long can I use the eduGAIN Access Check test accounts?</h3>
 <p>
-Test accounts expire automatically after a few days. However you can ask for new test accounts, via the same process, if you still need it.
+Test accounts expire automatically after a few days. However you can ask
+ for new test accounts, via the same process, if you still need it.
 </p>
  
 <h3>How can I provide the eduGAIN Access Check within my federation?</h3>
 <p>
 The code of the eduGAIN Access Check Account manager is published as open source. It's available at:
-<a href="svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager">svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager</a>. You can install it to
+<a href="svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager">svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager</a>. Feel free to install it to
 run you own instance of the service.
 </p><p>
-If national federations don't want to have their own service but still have the test idp in their federation for anybody,
-they could ask and request for that, in which case the eduGAIN Access Check then would also load the federation metadata
-of that federation in addition to eduGAIN. The national federation then would have to add the eduGAIN Access Check IdP on their own to their local federation.
+If national federations don't want to have their own service but still 
+want the eduGAIN Access Check as a service in their federation to be use by all their SPs,
+they can request that. The eduGAIN Access Check then would be configured to also load the metadata
+of that federation in addition to eduGAIN. Vice versa, the national federation then 
+would have to include the metadata of the eduGAIN Access Check IdP  in their 
+local federation's metadata.
 </p>

-<h3>How does this identity provider compare with test identity providers and guest identity providers?</h3>
+<h3>How does this Identity Provider compare with test identity providers and guest identity providers?</h3>
 <p>
 Test identity providers provide test accounts, with well-known accounts credentials. If such a test IdP is registered
-in eduGAIN, it allows access to any registered SP, through these test accounts, unless the test IdP is white-listed,
+in eduGAIN, it allows access to any registered eduGAIN SP with these test accounts, unless the test IdP is filtered out,
 either at the SP level or at national federation level. 
 </p><p>
-Guest identity providers provide user account to users who don't/can't have an account at an institutional IdP.
-These guest IdP rely on mail address verification (based on a challenge for instance) as a provisioning method.
-This type of IdP provides a poor user profile (name, email, user identifier) and cannot release user attributes carrying privileges.
-It is not recommended to register these IdPs in eduGAIN.
+Guest or self-registration identity providers typically allow all users with a valid email address to create an account and access federated services with it. This is mainly for users who don't/can't 
+have an account at an institutional IdP.
+These guest IdP rely on mail address verification (based on a challenge 
+for instance) as a provisioning method but any other attribute is either self-provided by the user (unknown quality) or static.
+Therefore, tis type of IdP provides generally provides low quality attributes about the users (name, email, user 
+identifier) and typically cannot release user attributes carrying privileges because data is self-provided by the user.
+Guest or self-registration Identity Provider therefore are generally not recommended to be part of eduGAIN.
 </p>
 <p>
-Unlike a test IdP, eduGAIN Access Check test accounts credentials are provided to the requestor only.<br/>
-Unlike a guest IdP, duGAIN Access Check test accounts creation is a restricted feature; you need to proove you are admin of an eduGAIN production SP to use it.<br/>
-Unlike a standard IdP, duGAIN Access Check test accounts can be used to access a single SP. If you request test accounts
-as admin of SP A; these test accounts won't allow login if the client SP is not SP A.
+Unlike a test IdP, eduGAIN Access Check test accounts credentials are provided to the requestor only.<br>
+Unlike a guest or self-registration IdP, the eduGAIN Access Check test accounts creation is a 
+restricted feature; you need to proove that you are administrator of an eduGAIN 
+production SP to use it.<br>
+Unlike for a standard IdP, the eduGAIN Access Check test accounts can be used to access a single SP. If you request test accounts
+as admin of SP A; these test accounts won't allow accessing any other SP than A.
 </p>

 <h3>How is it ensured that users can only test their own service?</h3>
-<p>eduGAIN Access Check exclusively allows creating test
-accounts only to users who can receive challenge emails for email
+<p>The eduGAIN Access Check service exclusively allows creating test
+accounts for users who can receive challenge emails for contac email
 addresses listed in the eduGAIN metadata for a particular Service Provider.
-The test accounts can be used exclusively to access a single SP (for which a user proofed that he is administrator).
+The test accounts can be used exclusively to access a single SP (for which a user proofed that he is administrator for).
 Authentication requests for other SPs are rejected.
 </p>
      
-<h3>What prevents this eduGAIN Access Check being used to impersonate real eduGAIN users?</h3>
+<h3>What prevents the eduGAIN Access Check from being used to impersonate real eduGAIN users?</h3>
 <p>
-Test accounts by the eduGAIN Access Check have a hard-coded domain set to "@access-check.edugain.org" that cannot be customized.
-The eduGAIN Access Check will have the scope "access-check.edugain.org" in its published metadata. Therefore, an SP with enabled scope
-check would not accept any eduPersonPrincipalName with a different scope than this.
+The attributes that are typically needed for user identification have a hard-coded domain name ("@access-check.edugain.org") set. Therefore, they cannot be changed unless the host is hacked, which could happen of course to any Identity Provider.
+The eduGAIN Access Check also has the Shibboleth metadata scope extension set to "access-check.edugain.org" 
+in its published metadata. Therefore, an SP with enabled scope
+check would not accept for example an eduPersonPrincipalName with a different scope.
 </p>