Cliquez ici pour la version française
All users connect to the federation registry web interface through HTTPS and authenticate first through their local IdP or at the default CRU accounts IdP. Data provided by an IdP or SP administrator, once validated, are stored in the federation registry database and allows to generate both the federation metadata and the inter-federation metadata.
An IdP/SP needs to be attached to a trusted organization which has achieved administrative registration. Administrative registration requires that a representative from that organization has signed the federation partner or member charter. Each trusted organization designates two federation contacts; these act as proxy for the organization. Member organization belong to the French education & research community; it can later registrer an Identity Provider and Service Providers with the Fédération Éducation-Recherche. Partner organization is any organization that wishes to operate a Service Provider within the Fédération Éducation-Recherche.
RENATER provides a test federation that allows the SP/IdP administrators to perform tests before entering the production federation. Joining an inter-federation requires that the IdP/SP administrators requests it via the federation registry web interface; a confirmation is needed.
The federation metadata are updated automatically, based on a metadata template and SP/IdP descriptions from the federation registry backend.
The federation metadata files are updated every 30 minutes and get published as a preview version. RENATER also provides intermediate and main versions of production metadata files. The metadata versions management is described in a dedicated document.
The federation metadata files have a validity period of 9 days.
Before a federation metadata files gets published and signed, it goes through a serie of technical validation tests to prevent incorrect metadata files to be published.
An Identity Provider registration request can be submitted by any user authenticated through one of the federation IdP or a CRU account. The user must select the member organization, the idP relates to. The registration request then requires approval by one of the organization's federation contact.
Criterias to validate an Identity Provider includes:
Once the IdP has been validated, its administrators get notified.
The IdP administrator can later update informations about the IdP, through the federation registry web interface. The update request also needs to be manually approved by federation operators if significant informations have been updated (entityID, attributes scope).
A Service Provider registration request can be submitted by any user authenticated through one of the federation IdP or a CRU account. The user must select the organization (member or partner) the SP relates to. The registration request then requires approval by one of the organization's federation contact.
Criteria to validate a Service Provider includes:
entityID formatOnce the SP has been validated, its administrators get notified.
The SP administrators can later update informations about the SP, through the federation registry web interface. The update request also needs to be manually approved by federation operators if significant informations have been updated (entityID, requested user attributes).