How to become an Identity Provider


To participate as identity provider in SIR you must fulfill the following steps:

  1. Install a connector to your local identity management system able to provide a PAPI v.1 interface.
    There are several appropriate solutions, created by the PAPI development team and the SIR user institutions. Currently there are connectors available for:
    • AuthServer PAPI
    • adAS
    • Shibboleth
    • Sun AccessManager
    • A-Select
    • CAS
    • OSSO
    • Apache mod_ldap
    • Active Directory
    • Proxy WAM
    In general, any access control method suitable to be used from a Web browser can be easily adapted to a connector. Please contact us to analyze your case.
    In the rest of this document, we will refer to this connector as the Identity Provider (IdP).
     
  2. Configure the connector, generating a pair of RSA keys, and defining a unique identifier (a string that we recommend to associate with the organizational domain) for the IdP. Send the public key (in PEM format), the identifier and the URL for the IdP to the SIR Team.
    The keypair can be generated by means of the following OpenSSL commands:
    $ openssl genrsa 2048 > privateKey.pem
    $ openssl rsa -pubout < privateKey.pem > publicKey.pem
  3. Deploy the IdP with the data generated in step 2 and verify the correct attribute exchange with the SIR test facilities. SIR incorporates the SIRdemo service provider, that displays the received attributes in a Web page available at:
    http://www.rediris.es/app/sirdemo/
  4. RedIRIS recommends the exchange of the following attributes, listed below using the compact name that must be used in the PAPI v.1 assertions sent through SIR: In case an attribute has more than one value, we join them using the pipe character '|':
    ePE=urn:mace:dir:entitlement:common-lib-terms|urn:mace:rediris.es:entitlement:scs:req
    Let's consider the user Antonio David Pérez Morales, working for RedIRIS and with access rights to digital content providers in the "common library terms" accepted by most commercial providers. The PAPI v.1 assertion that the RedIRIS IdP should send would contain the following values:
    ePTI=adf941cd6cf7295e6497fb5bd2d0c295,ePA=staff,sHO=rediris.es,ePE=urn:mace:dir:entitlement:common-lib-terms,uid=tico,sPUC=urn:mace:terena.org:schac:personalUniqueCode:es:r
    ediris:sir:mbid:{md5}d2f8ff92a3c50a966e007ee56dfd569b
    It is worth noting that, since eduPersonTargetedID is an opaque attribute intended to preserve user's privacy, for this example the MD5 hash of the string "Antonio David Pérez Morales" has been used.
    Participating institutions are free to further restrict these attribute according to their user privacy requirements, although this may imply that certain service providers cannot be accessed.
     
  5. Once the tests have been passed, the IdP responsible must forward to RedIRIS an adequately completed Conditions of Use for IdPs document. This document must be sent by fax to the number 95 505 66 27 to the attention of SIRservice.
    Remember that before sending the document, it must be validated by the institution's PER. Both the applicant and the PER must sign all the pages of the document.
    The document requires the inclusion of the SHA1 hash for the IdP public key. You can obtain this hash by means of the following OpenSSL command:
    $ openssl sha1 publicKey.pem
    Once the document is approved, the SIR Team will contact the applicant to get and verify the IdP public key in PEM format.
     
  6. The SIR Team will install the new IdP in the federation schema and notify its availability through the SIR user interface.