Cliquez ici pour la version française

SAML metadata published by RENATER

RENATER publishes SAML metadata files associated to its federated identities infrastructure. These metadata files gather technical informations about identity providers (IdP) and service providers (SP) registered with RENATER through the federation registry.

Metadata are mandatory for an identity federation, as SAML entities must know themselves before exchanging any message. Mutual authentication, for instance, requires each entity to know other entity signature certificate. Therefore, in order to communicate with another entity registered in the same federation, an entity must:

  • be registered in this identity federation, so as to be present in metadata loaded by other entities
  • load this federation metadata, so as to know other entities

Registering in a federation, through the registry, is just the first part of this mutual trust relationship, and must be completed by a configuration modification.

1. Federations and metadata

RENATER manages different circles of trust and publishes metadata files each of these federations:

  • Education-Research federation (more information): production environment for the French education and research community;
  • Qualification federation (more information) : qualification environment for the French education and research community, in conditions close to the Education-Research federation but without polluting it with irrelevant services;
  • EduGAIN interfederation (more information) : production environment for the international education and research community. Metadata are published by GEANT, operator of eduGAIN;
  • Local federations (more information in French): production environments for groups of French institutions. Metadata URL for these local federations are not public;
  • Test federation (more information) : test environment for education and research institutions, in free access.

CRU accounts service is an additional authentication service provided by RENATER. This identity provider is not part of the production federation, but you can download its SAML metadata.

2. Registration in a federation

SAML metadata are build with technical informations provided by SP/IdP administrators via our federation registry. Registering an SP/IdP in a production federation and updating some technical informations require validation by federation contacts designated by your organization.

Access to the federation registry requires prior authentication. If you (don't yet) have your home identity provider registered in Fédération Éducation-Recherche, you need to create your CRU account beforehand.

3. Metadata publication

Metadata files are updated automatically, based on data collected through our federation registry. This process validates the SAML metadata format, potential aggregation (eduGAIN case) and XML signing of metadata files.

Metadata updates occur at different frequencies, depending on the file version used, see the metadata versions description below.

Published SAML metadata have a validity period of 9 days. After the period your SP/IdP will probably not be able to use its local copy of the metadata file.

3.1 Files versions

Metadata files get published in different versions, corresponding to a maturation process from preview to intermediate then main.

This metadata maturation process applies to all production federations (Fédération Éducation-Recherche, eduGain and local federations. However it does not apply to Test federation for which only the preview version is published

The current versions of new metadata files related to each federation are summarized in the table below :

Federation Metadata URL Propagation delay after an update on the Federation Registry
Fédération Éducation-Recherche Main:
main-sps-renater-metadata.xml
main-idps-renater-metadata.xml
main-all-renater-metadata.xml
At most 12 hours later
Qualification federation Main:
main-sps-qualif-metadata.xml
main-idps-qualif-metadata.xml
main-all-qualif-metadata.xml
At most 12 hours later
EduGAIN federation Main:
main-sps-edugain-metadata.xml
main-idps-edugain-metadata.xml
main-all-edugain-metadata.xml
At most 12 hours later
Local federation Main:
URL not public
At most 12 hours later
Test federation Preview:
preview-sps-renater-test-metadata.xml
preview-idps-renater-test-metadata.xml
preview-all-renater-test-metadata.xml
At most 30 minutes later


For production federations, RENATER publishes other versions of metadata files, updated more frequently (see table below)
Federation Metadata URL Propagation delay after an update on the Federation Registry
Fédération Éducation-Recherche Preview:
preview-sps-renater-metadata.xml
preview-idps-renater-metadata.xml
preview-all-renater-metadata.xml
Intermediate:
intermediate-sps-renater-metadata.xml
intermediate-idps-renater-metadata.xml
intermediate-all-renater-metadata.xml
Preview:
At most 30 minutes later

Intermediate:
- At most 6 hours later
Qualification federation Preview:
preview-sps-qualif-metadata.xml
preview-idps-qualif-metadata.xml
preview-all-qualif-metadata.xml
Intermediate:
intermediate-sps-qualif-metadata.xml
intermediate-idps-qualif-metadata.xml
intermediate-all-qualif-metadata.xml
Preview:
At most 30 minutes later

Intermediate:
- At most 6 hours later
EduGAIN federation Preview:
preview-sps-edugain-metadata.xml
preview-idps-edugain-metadata.xml
preview-all-edugain-metadata.xml
Intermediate:
intermediate-sps-edugain-metadata.xml
intermediate-idps-edugain-metadata.xml
intermediate-all-edugain-metadata.xml
Preview:
At most 30 minutes later

Intermediate:
- At most 6 hours later
Local federation Preview:
Intermediate:
URL not public
Preview:
At most 30 minutes later

Intermediate:
- At most 6 hours later


The different versions of metadata files are described more in details on this dedicated page

3.2 Files signature

For metadata signature validation, you MUST download the new X509 certificate from the following url :
https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem

$ /usr/bin/curl -O https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem 
$ /usr/bin/openssl x509 -sha256 -noout -fingerprint -in renater-metadata-signing-cert-2016.pem
SHA256 Fingerprint=6B:D3:5F:7A:B1:64:EC:79:03:0D:36:97:BA:40:BD:23:5D:AA:DA:C0:43:47:C6:E5:3E:B7:72:A7:74:2C:16:5F


4. Loading SAML metadata

To make your IdP/SP work with third-party SAML entities registered in a federation you need to configure your software to regularly load that federation SAML metadata file. We recommend that SP/IdPs reload metadata files every hour. This setup garanties that you will quickly benefit from any urgent metadata update by RENATER (even though the usual publication period of that file might by daily only).

Firewall/proxy setup: note that IP address of the pub.federation.renater.fr/metadata server may change, without notice from RENATER. We therefore recommend that you define ACLs based on the server hostname, not based on its IP address.

4.1 Examples of setup for Shibboleth software

Examples below describe how to load metadata for the Fédération Éducation-Recherche. You should adapt them for other federations.

For Shibboleth IdP 3.x/4.x :

metadata-providers.xml
<MetadataProvider id="RenaterMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/main-sps-renater-metadata.xml"
                      metadataURL="https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml"> 
 
  <MetadataFilter xsi:type="SignatureValidation"
            requireSignedRoot="true"
            certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
  </MetadataFilter>        
</MetadataProvider>

For Shibboleth SP 3.x :

shibboleth2.xml
<MetadataProvider type="XML" url="https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml"
              backingFilePath="main-idps-renater-metadata.xml" reloadInterval="3600">
   <MetadataFilter type="Signature" certificate="renater-metadata-signing-cert-2016.pem"/>
</MetadataProvider>

4.2 Which metadata file(s) should I load?

Depending on the type of SAML entity you manage and the federation it belongs to, you have to load different metadata files :

If you run an IdP:

registered in use this file
Test federation preview-sps-renater-test-metadata.xml
Qualification federation main-sps-qualif-metadata.xml
Fédération Éducation-Recherche main-sps-renater-metadata.xml
eduGAIN federation main-sps-renater-metadata.xml AND main-sps-edugain-metadata.xml

If you run a SP :

registered in use this file
Test federation preview-idps-renater-test-metadata.xml
Qualification federation main-idps-qualif-metadata.xml
Fédération Éducation-Recherche main-idps-renater-metadata.xml
eduGAIN federation main-idps-renater-metadata.xml AND main-idps-edugain-metadata.xml


If you run a DS (WAYF) :

registered in use this file
Test federation preview-all-renater-test-metadata.xml
Qualification federation main-all-qualif-metadata.xml
Fédération Éducation-Recherche main-all-renater-metadata.xml
eduGAIN federation main-all-edugain+renater+sac-metadata.xml


4.3 My SP/IdP can't load SAML metadata

If don't use a SAML implementation supported by RENATER (Shibboleth and SWITCH WAYF), we recommend beforehand that you check your SAML implementation is interoperable with our SAML2 metadata format through our test federation. If you meet interoperability problems, you should report them to that implementation's developers and possibly to RENATER.

If you use Shibboleth or SWITCH WAYF, report us the problem you are facing. Shibboleth software keeps a local copy of metadata files that will be used, if you are unable to get a fresh version of the metadata files. That local version of metadata file may be used during 9 days.

The signature validation process of SAML metadata files published by RENATER uses the SHA-256 hash algorithm. This algorithm is handled by OpenSSL 0.9.8 (and later versions) and Java 4 (and later versions). If your SAML implementation is not able to validation the SAML metadata signature, you should check the version of the OpenSSL library you are using and possibly contact the support service of your SAML software. See the relevant documentation for Shibboleth: Shibboleth IdP signature interoperability issues.