Federation
Below, the term federation is described and the difference between the Switch edu-ID and edu-ID Test federations is explained.
A federation is a collection of organizations that agree to interoperate under a certain rule set. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.
Federations are not required for the use of Shibboleth but can facilitate exchange greatly.
Switch currently operates two federations: the Switch edu-ID Federation in the production infrastructure and the edu-ID Test Federation in the test infrastructure.
Switch edu-ID Federation
The Switch edu-ID Participants belong either to the Switch Community or they became Switch edu-ID Federation Partner.
Since personal data (the attributes) gets processed within Switch edu-ID, a proper legal framework is required. It is provided by the Switch edu-ID Service Description that covers also Switch edu-ID and its related documents.
Policies and the legal framework of Switch edu-ID are defined with the aid of the Switch edu-ID Advisory Board, which represents the interests of the Switch edu-ID Participants from the Switch Community.
Technical aspects of the federation are discussed in the Trust & Identity Working Group, where representatives of Switch edu-ID Participants from the Switch Community participate.
Switch edu-ID legal and technical document repository
Technical Framework
- Attributes
- In order to allow interoperation of the involved systems, an Attribute Specification has been defined.
- Metadata
- The metadata describes Identity Providers and Resources available in Switch edu-ID. Switch provides official Switch edu-ID metadata files in XML-format and digitally signed. These files are used by Shibboleth to determine valid systems to communicate with. The metadata is generated using the Resource Registry, a tool to collect information about all Identity Providers and Resources in the federation. The Resource Registry also generates tailored Attribute Release Policy (ARP) files for each Identity Provider.
- Accepted Certificates
- Each host being part of Switch edu-ID needs for the SAML communication a certificate according to the Switch edu-ID Certificate Acceptance Policy. If you decide to use Switch PKI, please follow the steps as described in 'How to obtain a Switch PKI server certificate'.
Joining Switch edu-ID
The procedure to become part of Switch edu-ID is described on: How to join Switch edu-ID
The List of Switch edu-ID Participants
edu-ID Test Federation
Members
As the name implies, this federation is for test and development purposes. There are no formal requirements to participate in the edu-ID Test Federation. However, it does not provide any trust or security whatsoever.
User Data
For data protection and security reasons it is not recommended to have real users in the edu-ID Test federation.
Technical Framework
- Attributes
- The same Attribute Specification is valid for the edu-ID Test Federation as for the production Switch edu-ID Federation.
- Metadata
- As for the Switch edu-ID Federation, Switch provides up to data metadata files that were directly generated using the Resource Registry.
Joining edu-ID Test Federation
Since the edu-ID Test Federation is not a production Federation there are no formal requirements to join. On the other hand it is intended for tests with the goal to later join the production federation with a production IdP or SP. Basically, setting up a Shibboleth Identity Provider or Service Provider for the edu-ID Test Federation (see Technical Information page) and registering with the Resource Registry is all that is needed.