<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/x
html1/DTD/xhtml1-transitional.dtd">
<html xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
<link rel="icon" type="image/png" href="/resources/images/favicon.png" />
<!-- Foundation css -->
<link rel="stylesheet" type="text/css" href="/resources/foundation/css/normalize.css">
<link rel="stylesheet" type="text/css" href="/resources/foundation/css/foundation.css">
<link href="/resources/jquery.steps.css" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="/resources/jquery-ui-1.11.1/jquery-ui.min.css" />
<link rel="stylesheet" type="text/css" href="/resources/css/style.css" />
<script type="text/javascript" src="/resources/jquery-1.11.1.min.js"></script>
<script type="text/javascript" src="/resources/jquery-ui-1.11.1/jquery-ui.min.js"></script>
<script type="text/javascript" src="/resources/jquery.validate.1.13.0.min.js"></script>
<script type="text/javascript" src="/resources/jquery.cookie-1.4.1.min.js"></script>
<script type="text/javascript" src="/resources/jquery.steps.1.1.0.min.js"></script>
<SCRIPT TYPE="text/javascript">
<!--
// To confirm on a link (A HREF)
function request_confirm_link(my_url, my_message) {
question = confirm(my_message);
if (question !="0") {
top.location = my_url;
}
}
function showhide(div){
var oDiv = document.getElementById(div);
if(oDiv.style.display == "none"){
oDiv.style.display = "block";
}else{
oDiv.style.display = "none";
}
}
function hide(div) {
var oDiv = document.getElementById(div);
oDiv.style.display = "none";
}
jQuery(function($){
$.widget( "custom.combobox", {
_create: function() {
this.wrapper = $( "<span>" )
.addClass( "custom-combobox" )
.insertAfter( this.element );
this.element.hide();
this._createAutocomplete();
this._createShowAllButton();
},
_createAutocomplete: function() {
var selected = this.element.children( ":selected" ),
value = selected.val() ? selected.text() : "";
this.input = $( "<input>" )
.appendTo( this.wrapper )
.val( value )
.attr( "title", "" )
.addClass( "custom-combobox-input ui-widget ui-widget-content ui-state-default ui-corner-left error required" )
.autocomplete({
delay: 0,
minLength: 0,
source: $.proxy( this, "_source" )
})
.tooltip({
tooltipClass: "ui-state-highlight"
});
this._on( this.input, {
autocompleteselect: function( event, ui ) {
ui.item.option.selected = true;
this._trigger( "select", event, {
item: ui.item.option
});
},
autocompletechange: "_removeIfInvalid"
});
},
_createShowAllButton: function() {
var input = this.input,
wasOpen = false;
$( "<a>" )
.attr( "tabIndex", -1 )
.attr( "title", "Show All Items" )
.tooltip()
.appendTo( this.wrapper )
.button({
icons: {
primary: "ui-icon-triangle-1-s"
},
text: false
})
.removeClass( "ui-corner-all" )
.addClass( "custom-combobox-toggle ui-corner-right" )
.mousedown(function() {
wasOpen = input.autocomplete( "widget" ).is( ":visible" );
})
.click(function() {
input.focus();
// Close if already visible
if ( wasOpen ) {
return;
}
// Pass empty string as value to search for, displaying all results
input.autocomplete( "search", "" );
});
},
_source: function( request, response ) {
var matcher = new RegExp( $.ui.autocomplete.escapeRegex(request.term), "i" );
response( this.element.children( "option" ).map(function() {
var text = $( this ).text();
if ( this.value && ( !request.term || matcher.test(text) ) )
return {
label: text,
value: text,
option: this
};
}) );
},
_removeIfInvalid: function( event, ui ) {
// Selected an item, nothing to do
if ( ui.item ) {
return;
}
// Search for a match (case-insensitive)
var value = this.input.val(),
valueLowerCase = value.toLowerCase(),
valid = false;
this.element.children( "option" ).each(function() {
if ( $( this ).text().toLowerCase() === valueLowerCase ) {
this.selected = valid = true;
return false;
}
});
// Found a match, nothing to do
if ( valid ) {
return;
}
// Remove invalid value
this.input
.val( "" )
.attr( "title", value + " didn't match any item" )
.tooltip( "open" );
this.element.val( "" );
this._delay(function() {
this.input.tooltip( "close" ).attr( "title", "" );
}, 2500 );
this.input.autocomplete( "instance" ).term = "";
},
_destroy: function() {
this.wrapper.remove();
this.element.show();
}
});
});
//-->
</SCRIPT>
<title>Learn more about eduGAIN Access Check </title>
</head>
<body>
<div id="header">
<ul>
<li class="logo align-left"><a href="/accountmanager" title="eduGAIN Access Check home page"><img alt="eduGAIN logo" width="200" src="/resources/images/edugain_logo.png "/></a></li>
<li> </li>
<li class="logo align-right"><a href="http://www.geant.net" title="Géant home page" target="_blank"><img alt="GEANT logo" width="100" src="/resources/images/geant_logo_rgb_300dpi.jpg"/></a></li>
</ul>
<div class="title">
<span class="hide-for-small"><h1>Learn more about eduGAIN Access Check</h1></span>
</div>
</div>
<div id="wrapper">
<!--<div id="bandeau">
<div class="logo">
<img alt="GEANT logo" width="150" src="/resources/geant_logo_rgb_300dpi.jpg"/>
</div>
</div>-->
<div id="content">
<!-- notifications -->
<script type="text/javascript">
$(function() {
$('#start_testing').on('click',function() {
window.location.href='/accountmanager?action=account_wizard';
});
});
</script>
<div class="row">
<h2>What is the service for?</h2>
<p>
In their daily lives federation operators and eduGAIN experts are
frequently asked,
how access to a production federated service can be tested. A simple
login test to a federated service requires a federated account at an
organisation that is part of the federation/eduGAIN. However, on one
hand commercial service operators normally don't have and normally
don't received federated accounts in a national federation and eduGAIN.
On the other hand, even if they had a single account of their
own or if they asked a real-world user to test, this would not be
sufficient to thouroughly test federated login with multiple identities
and different sets of attributes.
</p>
<p>
Setting up an own SAML Identity Provider (IdP) and us this to test the own IdP would be ideal but is non-trivial and therefore
in most cases too much effort. Using self-registration IdPs (e.g. <a href="https://openidp.feide.no/">https://openidp.feide.no/</a>)
and configuring them bilaterally with their Service Provider (SP) might be sufficient for development but as these IdPs are not part of eduGAIN,
they don't allow federated login under real conditions from an eduGAIN IdP. Also, self-registration IdPs usually don't allow
certain attributes (e.g. affiliation) to be set.
</p><p>
The eduGAIN Access Check solves most of the above-mentioned issues because it provides SP operators an easy way to test
federated login for their eduGAIN service with test identities that have different attribute profiles.
</p>
<h2>Benefits of the eduGAIN Access Check</h2>
<p>
The eduGAIN Access Check allows SP administrators to ensure proper
functioning of their services within eduGAIN.
It is especially useful for services not hosted by an R&E
institution, because they can't use their own IdP to login
and test their production eduGAIN-enabled service. Setting up an IdP on
their own would require considerable efforts on their part.
</p><p>
The eduGAIN Access Check provides realistic user profiles (e.g.
including non-ascii characters, typical attributes) to help SP
administrators to improve and adapt their eduGAIN-enabled services to
the constraints of variable attribute release in an
international context. In particular, the eduGAIN Access Check makes the
SP operators aware that:
</p>
<ol>
<li>different eduGAIN IdPs will release varying set of attributes</li>
<li>the vocabulary and semantics of
some attributes (i.e. eduPersonAffiliation) differ from federation to
federation</li>
</ol>
<p>
SAML2 entity categories (GÉANT Data Protection Code of Conduct, REFEDS
Research & Scholarship) support for attribute
release management is a non-trivial concept within eduGAIN. The eduGAIN
Access Check releases a reasonable set of attributes
to SPs, depending on the entity categories they belong to. This should
encourage SP administrators to follow the eduGAIN guidelines
and facilitate the use of entity categories.
</p>
<h2>Frequently asked questions</h2>
<h3>I run a SAML-enabled service. How can I use the eduGAIN Access Check?</h3>
<p>
Your Service Provider first needs to be registered in eduGAIN metadata.
Therefore, you should contact your nearest federation operators (please have a look at the <a href="http://edugain.org/technical/status.php">list
of eduGAIN member federations</a>) to find out about the local process to join eduGAIN.
</p><p>
Once your SP's metadata is included into eduGAIN, <a href="/accountmanager?action=account_wizard">you can start creating test accounts</a>.
Before you obtain the test accounts, it is checked that you are a
legitimate administrator of your SP. This is achieved via an email
challenge sent to the contact address for the Service Provider.
</p><p>
To use the test accounts, initiate a login at your SP. On the Discovery Service, select "eduGAIN
Access Check" as your Identity Provider and then use the credentials of one of the created test accounts.
Once authenticated, the eduGAIN Access Check IdP will send your SP
a realistic set of user attributes. This allows you to validate that your service
behaves as expected.
</p>
<h3>How long can I use the eduGAIN Access Check test accounts?</h3>
<p>
Test accounts expire automatically after a few days. However you can ask
for new test accounts, via the same process, if you still need it.
</p>
<h3>How can I provide the eduGAIN Access Check within my federation?</h3>
<p>
The code of the eduGAIN Access Check Account manager is published as open source. It's available at:
<a href="svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager">svn+ssh://svn@svn.geant.net/GEANT/edugain_testidp_account_manager</a>. Feel free to install it to
run you own instance of the service.
</p><p>
If national federations don't want to have their own service but still
want the eduGAIN Access Check as a service in their federation to be use by all their SPs,
they can request that. The eduGAIN Access Check then would be configured to also load the metadata
of that federation in addition to eduGAIN. Vice versa, the national federation then
would have to include the metadata of the eduGAIN Access Check IdP in their
local federation's metadata.
</p>
<h3>How does this Identity Provider compare with test identity providers and guest identity providers?</h3>
<p>
Test identity providers provide test accounts, with well-known accounts credentials. If such a test IdP is registered
in eduGAIN, it allows access to any registered eduGAIN SP with these test accounts, unless the test IdP is filtered out,
either at the SP level or at national federation level.
</p><p>
Guest or self-registration identity providers typically allow all users with a valid email address to create an account and access federated services with it. This is mainly for users who don't/can't
have an account at an institutional IdP.
These guest IdP rely on mail address verification (based on a challenge
for instance) as a provisioning method but any other attribute is either self-provided by the user (unknown quality) or static.
Therefore, tis type of IdP provides generally provides low quality attributes about the users (name, email, user
identifier) and typically cannot release user attributes carrying privileges because data is self-provided by the user.
Guest or self-registration Identity Provider therefore are generally not recommended to be part of eduGAIN.
</p>
<p>
Unlike a test IdP, eduGAIN Access Check test accounts credentials are provided to the requestor only.<br>
Unlike a guest or self-registration IdP, the eduGAIN Access Check test accounts creation is a
restricted feature; you need to proove that you are administrator of an eduGAIN
production SP to use it.<br>
Unlike for a standard IdP, the eduGAIN Access Check test accounts can be used to access a single SP. If you request test accounts
as admin of SP A; these test accounts won't allow accessing any other SP than A.
</p>
<h3>How is it ensured that users can only test their own service?</h3>
<p>The eduGAIN Access Check service exclusively allows creating test
accounts for users who can receive challenge emails for contac email
addresses listed in the eduGAIN metadata for a particular Service Provider.
The test accounts can be used exclusively to access a single SP (for which a user proofed that he is administrator for).
Authentication requests for other SPs are rejected.
</p>
<h3>What prevents the eduGAIN Access Check from being used to impersonate real eduGAIN users?</h3>
<p>
The attributes that are typically needed for user identification have a hard-coded domain name ("@access-check.edugain.org") set. Therefore, they cannot be changed unless the host is hacked, which could happen of course to any Identity Provider.
The eduGAIN Access Check also has the Shibboleth metadata scope extension set to "access-check.edugain.org"
in its published metadata. Therefore, an SP with enabled scope
check would not accept for example an eduPersonPrincipalName with a different scope.
</p>
</div>
<!-- IF errors -->
<p>
<div>
<div id="footer">
<div class="row align-center">
<span>eduGAIN Access Check</span>
</div>
</div>
</div>
</div>
</div>
<script src="/resources/foundation/js/foundation.min.js"></script>
<script src="/resources/foundation/js/foundation/foundation.tooltip.js"></script>
<script>
$(document).foundation();
</script>
</div>
</body>
</html>