RENATER publishes SAML metadata files associated to its federated identities infrastructure. These metadata files gather technical informations about identity providers (IdP) and service providers (SP) registered with RENATER through the federation registry.

Metadata are mandatory for an identity federation, as SAML entities must know themselves before exchanging any message. Mutual authentication, for instance, requires each entity to know other entity signature certificate. Therefore, in order to communicate with another entity registered in the same federation, an entity must:

• be registered in this identity federation, so as to be present in metadata loaded by other entities
• load this federation metadata, so as to know other entities

Registering in a federation, through the registry, is just the first part of this mutual trust relationship, and must be completed by a configuration modification.

RENATER manages different circles of trust and publishes metadata files each of these federations:

• Education-Research federation (more information): production environment for the French education and research community;
• Qualification federation (more information) : qualification environment for the French education and research community, in conditions close to the Education-Research federation but without polluting it with irrelevant services;
• EduGAIN interfederation (more information) : production environment for the international education and research community. Metadata are published by GEANT, operator of eduGAIN;
• Local federations (more information in French): production environments for groups of French institutions. Metadata URL for these local federations are not public;
• Test federation (more information) : test environment for education and research institutions, in free access.

CRU accounts service is an additional authentication service provided by RENATER. This identity provider is not part of the production federation, but you can download its SAML metadata.

SAML metadata are build with technical informations provided by SP/IdP administrators via our federation registry. Registering an SP/IdP in a production federation and updating some technical informations require validation by federation contacts designated by your organization.

Access to the federation registry requires prior authentication. If you (don't yet) have your home identity provider registered in Fédération Éducation-Recherche, you need to create your CRU account beforehand.

Metadata files are updated automatically, based on data collected through our federation registry. This process validates the SAML metadata format, potential aggregation (eduGAIN case) and XML signing of metadata files.

Metadata updates occur at different frequencies, depending on the file version used, see the metadata versions description below.

Published SAML metadata have a validity period of 9 days. After the period your SP/IdP will probably not be able to use its local copy of the metadata file.

Metadata files get published in different versions, corresponding to a maturation process from preview to intermediate then main.

The current versions of new metadata files related to each federation are summarized in the table below :

For metadata signature validation, you MUST download the new X509 certificate from the following url :
https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem

$ /usr/bin/curl -O https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem 
$ /usr/bin/openssl x509 -sha256 -noout -fingerprint -in renater-metadata-signing-cert-2016.pem
SHA256 Fingerprint=6B:D3:5F:7A:B1:64:EC:79:03:0D:36:97:BA:40:BD:23:5D:AA:DA:C0:43:47:C6:E5:3E:B7:72:A7:74:2C:16:5F

To make your IdP/SP work with third-party SAML entities registered in a federation you need to configure your software to regularly load that federation SAML metadata file. We recommend that SP/IdPs reload metadata files every hour. This setup garanties that you will quickly benefit from any urgent metadata update by RENATER (even though the usual publication period of that file might by daily only).

Examples below describe how to load metadata for the Fédération Éducation-Recherche. You should adapt them for other federations.

For Shibboleth IdP 3.x/4.x :

metadata-providers.xml

<MetadataProvider id="RenaterMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/main-sps-renater-metadata.xml"
                      metadataURL="https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml"> 
 
  <MetadataFilter xsi:type="SignatureValidation"
            requireSignedRoot="true"
            certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
  </MetadataFilter>        
</MetadataProvider>

For Shibboleth SP 3.x :

shibboleth2.xml

<MetadataProvider type="XML" url="https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml"
              backingFilePath="main-idps-renater-metadata.xml" reloadInterval="3600">
   <MetadataFilter type="Signature" certificate="renater-metadata-signing-cert-2016.pem"/>
</MetadataProvider>

Depending on the type of SAML entity you manage and the federation it belongs to, you have to load different metadata files :

If you run an IdP:

If you run a SP :

If you run a DS (WAYF) :

If don't use a SAML implementation supported by RENATER (Shibboleth and SWITCH WAYF), we recommend beforehand that you check your SAML implementation is interoperable with our SAML2 metadata format through our test federation. If you meet interoperability problems, you should report them to that implementation's developers and possibly to RENATER.

If you use Shibboleth or SWITCH WAYF, report us the problem you are facing. Shibboleth software keeps a local copy of metadata files that will be used, if you are unable to get a fresh version of the metadata files. That local version of metadata file may be used during 9 days.

The signature validation process of SAML metadata files published by RENATER uses the SHA-256 hash algorithm. This algorithm is handled by OpenSSL 0.9.8 (and later versions) and Java 4 (and later versions). If your SAML implementation is not able to validation the SAML metadata signature, you should check the version of the OpenSSL library you are using and possibly contact the support service of your SAML software. See the relevant documentation for Shibboleth: Shibboleth IdP signature interoperability issues.