Home » Identity and Access Management: CAF » CAF Support » eduGAIN Technical Instructions

eduGAIN Technical Instructions

Q: I would like to use eduGAIN to allow my users to sign into remote resources around the world or offer my service to others outside of Canada.

The eduGAIN service is available to all Federated Identity Management (FIM) participants. Participation in eduGAIN allows your Identity Provider or Service Provider to be both visible and available in identity federations around the world, simplifying access to content, services, and resources for the global research and education community.

Implementing eduGAIN only requires two steps:

  1. Request eduGAIN participation from the Canadian Access Federation (CAF)
  2. Configure trust for eduGAIN

Note: When joining FIM, Identity Providers are automatically published into eduGAIN. Service Providers are invited to opt-in to being included into eduGAIN.

1. Request eduGAIN Participation

The eduGAIN service is available to all FIM participants. Identity Providers joining FIM are automatically published into eduGAIN. Service Providers are invited to opt-in to being included into eduGAIN.

1.1. Who to Contact

  • If your institution is a FIM participant and not in eduGAIN:
    • Please send a request to participate in eduGAIN to our operations contact at tickets@canarie.ca.
      • Requests that do not originate from an authorized technical contact will be confirmed with our contact on file for that entity.
      • Please provide any additional information from step 1.2 in your request.
  • If your institution is not a FIM participant, please visit canarie.ca/identity/join to submit a request to join FIM

1.2. What to Include

If you are a new FIM participant, you can check that your information complies with eduGAIN’s publishing profile here: technical.edugain.org/doc/eduGAIN_metadata_profile.pdf
For existing FIMS participants who are not yet in eduGAIN, please review your metadata record and be sure to provide us with the following elements listed below. As a minimum requirement, this data must be in English.  and can be provided in additional languages if desired.

What to include in your eduGAIN request:

  • For your Organizational information as it relates to your record:
    • OrganizationName
    • OrganizationDisplayName
    • OrganizationURL
  • For information used in user interfaces such as how users see your record we also need to collect:
    • DisplayName
    • a brief Description

2. Configure Trust for eduGAIN

CAF distributes the eduGAIN metadata in a separate aggregate called the Production CAF interfederation aggregate. This separate aggregate complements the Production CAF metadata aggregate and is signed using the same Production CAF key used to verify any of CAF’s signed aggregates.

Links to the new CAF interfederation aggregate and signing key are:

Production CAF interfederation aggregate (30MB): caf-shib2ops.ca/CoreServices/caf_interfed_signed.xml

Production CAF signing key used to sign aggregate: caf-shib2ops.ca/CoreServices/caf_metadata_verify.crt

Both the Identity Provider and Service Provider need to append this to their configuration in addition to the CAF Production aggregate. Without this aggregate in your configuration, you will not be fully configured and functional in eduGAIN.

2.1 For Your Identity Provider

For Shibboleth Identity Providers (IdP) 3.x and newer, ensure that the following entry is present in $idphome/conf/metadata-providers.xml to load the new interfederation aggregate and perform a validation check. In the example below, md-signer.crt is used as the CAF Production signing key reference:

<MetadataProvider id="URLMDCAFEdugain" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                 <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata" requireSignedMetadata="true" 

Identity Provider operators must increase their Java VM size to minimum 2GB of RAM otherwise they may encounter memory problems.

Please restart the IdP server for changes to take effect.

2.2 For Your Service Provider

For Shibboleth Service Providers 2.5 and newer, please add the following entry in /etc/shibboleth/shibboleth2.xml alongside the existing Production CAF aggregate. In the example below, caf_metadat_verify.crt is used as the CAF production signing key reference:

<MetadataProvider type="XML" uri="https://caf-shib2ops.ca/CoreServices/caf_interfed_signed.xml" backingFilePath="caf_interfed_metadata.xml" reloadInterval="3600">
            <MetadataFilter type="Signature"  certificate="caf_metadata_verify.crt"/>

Please restart the Shibboleth Daemon (shibd) for changes to take effect. Note that the aggregate may take a minute or two to load as it is adding 30MB of data to be parsed and verified.

You are now done!

To see a list of all entities using eduGAIN visit technical.edugain.org/entities.