Cliquez ici pour la version française

Federation Registry V3.2

1. Service description

The federation registry is an online service, allowing federation managers from the Research & Education community to manage their SAML entities (identity and service providers), and to register them in one or several federations managed by RENATER. It also allows an unauthenticated access to public information about those entities.

The technical information collected through the registry are then published in the metadata of the registered federations.

2. Federations available through the registry

The registry allows the registration into different types of federation, listed below:

  • Test federation, freely accessible,
  • Production federations : Éducation-Recherche, eduGAIN and local federation. Registrating in a production federation requires to subscribe to Identity Federation service with RENATER.

Registration process of a SAML entity into one federation is described later in this documetation.

2.1 Test federation

The registry provides a test federation, freely available, to quickly test the configuration and check the functioning of your IDP or SP.
Any authenticated user (see §3.2 below) can register an IDP or a SP in the test federation, no prior administrative procedure with RENATER is required in this case.

2.2 Production federations

2.2.1 Prerequisites

Organizations which want to declare one or more SAML entities in a production federation (Éducation-Recherche, eduGAIN or local federation) must complete beforehand an administrative registration procedure with RENATER.

The type of SAML entity that can be declared on the registry may vary according to the status of your organization (member or partner organization):
  • If you are registered as a member organization (belonging to the R&E community), you can declare any identity or service provider;
  • If you are registered as a partner organization, you can only declare service providers.

2.2.2 Fédération Éducation-Recherche

The registry allows to register a SAML entity in the Fédération Éducation-Recherche.
The Fédération Éducation-Recherche is a service operated by RENATER. It offers a trust and technical framework between a set of identity providers (IDP) and service providers (SP), thus enabling its participants to securise and simplify the access to web resources.

2.2.3 eduGAIN inter-federation

Registering an entity in eduGAIN requires that this one to be also registered in the Éducation-Recherche federation.

The registry allows to register a SAML entity in the eduGAIN federation.
EduGAIN is a service interconnecting the R&E federations at the international level, which is operated by GEANT.

2.2.4 Local federation

The registry offers you the possibility to manage a local federation (french only) for your organization, hosted by RENATER.
For an organization, it allows to register SAML entities in its own federation with the same level of trust as the Education-Recherche federation and to publish the metadata file related to this local federation.

3. Access to the Registry

The service is available at the following address: https://registry.federation.renater.fr.

It allows the user to:

  • Access public information - without being authenticated
  • Manage SAML entities, once authenticated

3.1 Access to public information (guest access)

Some public information on the registry can be accessed without being authenticated. They are accessible through the upper menu of the welcome page (purple rectangle):

The following is also available:

  • Federations : description of the public federations available on the registry (federation presentation web page, list of registered IdPs/SPs, associated metadata files) ;
  • Attributes : description of attributes available in a federation context ;
  • Service categories : description of available Service Provider categories (types and audience).

3.2 Managing SAML entities (authentification required)

Managing SAML entities requires authentication (click on the connection button in the top banner).

Registry authentication process is based on federated identity management.
The user is enabled to authenticate through the IdP of its home organization - given that it has a live IdP. If the organization doesn't have an IdP, one can use a CRU account. In such a case, one will first have to create a CRU account through CRU account management service, before selecting “CRU accounts” in the organization selection screen:

4. User rights

User rights on the registry are computed based on his/her belonging to one of the two user roles described hereafter.

4.1 User roles

4.1.1 SAML entity manager

The SAML entity manager - also known as the “entity contact” - is the person accountable for managing the entity on the registry besides of the organization. Entity managers are provided during entity creation.

At least one entity manager is mandatory (email address) at entity creation time on the registry.
Please note that the registry fills by default the 1st manager using the information of the user currently creating the entity (the information are provided by the user's IdP).

4.1.2 Federation manager for the organization

The Federation manager for the organization is:

  • For members organizations: the organization federation contacts declared in PASS, during Identity Federation service subscription;
  • For partners organizations: the organization federation contacts provided in the Federation Partner charter (document to be provided filled and signed to subscribe to the Identity Federation service).
No matter its type (member or partner), an organization must provide 2 federation managers during Identity Federation service subscription.

4.2 Roles & access rights

Operations available through the registry SAML entity manager Federation manager for the organization
Create / edit / remove a SAML entity X X
Visualize in the registry's SAML entities list a SAML entity for which he is declared as manager X X
Attach a SAML entity to an organization X X
Register a SAML entity into one or several federations available on the registry X X
Visualize in the registry's SAML entities list all the SAML entities attached to an organization X
Approve/reject entities managers requests (*) X

(*) Some of the actions issued by an entity manager are subject to moderation by the federation manager for the organization, more specifically:

  • Attachment to an organization request;
  • Registration into a production federation request.

4.3 Summary schema

Here is a scheme of an organization with five attached SAML entities:

  • Alice et Bob are the federation managers for organization, they have read/write rights over all five entities
  • Alice et Bob are also managers for some SAML entities, but this doesn't give them any further rights
  • Charles, Daniel and Ema are managers for one or more SAML entities, they only have read/write rights over those entities

5. Registry main page

From the registry main page, an authenticated user can:

  • Create a new identity provider and/or service provider;
  • Visualize all the SAML entities for which he's authorized;
    • If he's one of the organization managers: all the SAML entities attached to his organization:
    • If he's manager of SAML entities: all the SAML entities for which he's set as manager.
  • Access to the main operations of a SAML entity: update entity information, attach a SAML entity to an organization, register in one or several federations, moderate request, delete entity, etc;
  • Access to his/her user profile info ;
  • Access to federations description, attributes and service categories.

The screenshot below provides an overview of the available features:

6. Access to user profile info

An authenticated user on the registry can access his/her user profile information via the top banner button already used for login, by clicking on “My Profile “ as shown below:

The user profile page displayed is structured in 2 distinct blocks. The 1st block presents the user's personal information, in particular :

  • His/her identity information - name + identifier (EPPN) + email address - provided by his/her identity provider ;
  • His/her user role(s) on the registry (SAML entity manager, federation manager for the organization) ;
  • His/her home organization - as deduced from his/her identity provider - and corresponding federation managers ;
  • Information about the identity provider used for the connection (IDP SAML identifier and authentication method used).

The 2nd block presents the elements managed by the authenticated user on the registry. An example below for a SAML entity manager:

7. Declare a new SAML entity

  • A user from a member organization logs into the registry using his organization IdP or a CRU account (see § 3.2 above);
  • A user from a partner organization logs into the registry using a CRU account (see § 3.2 above);
  • Once authenticated, from the Registry main page, he clicks on Create a new service provider or Create a new identity provider, following the type of SAML entity he wants to create.

  • He then accesses to the entity creation form, composed of several tabs:
    • For an Identity Provider:

  • For Service Provider :

  • He fills at least the mandatory information for the entity in all the tabs. Plese find hereafter a quick description of each tab:
Special notice for the “Federations” tab:

During the creation of a SAML entity, the user can either:

  1. enter no value at all, and address later (once the entity is created) the registration in one of the available federations;
  2. register directly the SAML entity in the Test federation. In that case, no attachment to an organization is required;
  3. request for attachment to an organization (by selecting it in the list) in order to request registration in a production federation - once the attachment request is approved (see § 8).
Tab Is related to Description
Presentation IDP & SP - General information about the SAML entity : name, description, logo, etc.
Federations IDP & SP - Attachment request to an organization
- Registration request into a federation
Contacts IDP & SP - Declaration of entity managers
- Declaration of unique point of contact or technical issues
Requested Attributes SP only - Declaration of attributes requested by the service provider
Technical information IDP & SP - Entity technical information : entityID, SAML endpoints, certificates, etc.
Compliance IDP & SP - Entity compliance declaration : SIRTFI, eduGAIN Code of Conduct, Research and Scholarship, European Student Identifier (ESI)
Submission IDP & SP - Form submission
- Entity history visualization
  • Once all mandatory information provided, the user can submit the form (“submission” tab).
  • In the case where the SAML entity has been attached in the former step (case #3), an attachment request is sent by email to the organization managers. The SAML entity will appear with a “pending validation” status, until the request is approved, as illustrated below:

  • One of the organization managers validates the attachment request (see § 9.2)
  • The entity managers then receive an email notification, stating the attachment has been approved:

  • One of the entity managers can now request registration of the entity in a production federation (see § 8):
    • Either by clicking on the entity edition page link, provided in the notification email;
    • Or from the registry main page, by clicking on the entity edit button.

8. Register a SAML entity in a production federation

Registering a SAML entity in a production federation requires that it is attached to an organization (see § 7).
  • An entity manager logs into the registry and lands on the main page.
  • For a given SAML entity, he first check that it is not in the “pending validation” status (egg-timer not displayed) and that it is effectively attached to an organization. He then clicks on the “edit” button to reach the entity edit page:

  • From the “Federations” tab, production federations (thus requiring a valid attachment) are now visible (in the example below, “Fédération Éducation-Recherche” and eduGAIN)

  • If the SAML entity satisfies every condition of the forseen production federation, the entity manager can then request its registration, by switching the button, and next confirming his choice:

  • On the other hand, registration will not be possible if one of the conditions is not met. In that case, “registration impossible” is displayed with details on missing prerequisites (when flying over the question mark icon), next to the related federation, as illustrated below:

In the case where registration in a production federation is not possible, when prerequisites are not met, the entity manager will first have to make the appropriate indicated fixes, and then submit them; in order to unlock the related federation.
  • Once the registration request made, the entity manager submits the form. An email notification is then sent to the organization managers, so they can approve the registration request in the subscribed federation. As long as the request is not approved, the SAML entity appears with a “pending validation” status in the SAML entities list, as illustrated below:

  • One of the organization managers approves the registration request (see § 9.3)
  • Next, the entity managers receive an email notification, stating that the request has been approved:

9. Moderation operations

Moderation operations described hereafter are restricted to organization managers.

9.1 Accessing SAML entity moderation page

An organization manager can reach a SAML entity moderation page in 2 ways:

  1. Direct access, by clicking on the link provided in the received notification email (example below):
  2. Access from Registry main page, by clicking on the moderation button:

9.2 Organization attachment approval

  • One of the organization managers access to the SAML entity moderation page (see § 9.1)
  • He approves or refuses the attachment to the organization, by switching or not the button, provides additional comments in the dedicated field and then submits the form, as shown below:

  • At form submission time, an email notification is sent to the entity managers to let them know about the approval/reject of the attachment request

9.3 Registration in a production federation approval

Same worflow than organization attachment approval (see § 9.2).

Production federation registration request approval page:

10. Contact information usage policy

Usage of the Registry requires that users provide some contact information.
The following table sums up the requested contact information and the associated usage.

Contact information Provided by the user in Usage
Email address
Entity managers
Registry > IdP & SP forms > Contacts tab - Identification and access control inside the Registry
- Federation operator (RENATER) contact needs towards entity managers
Email address
Entity technical contact
Registry > IdP & SP forms > Contacts tab - Publication inside of federation metadata
(Point of contact for any technical issue related to the entity)
Email address
Entity SIRTFI contact
Registry > IdP & SP forms > Compliance tab - Publication inside of federation metadata
(Point of contact in case of security incident related to the entity)
Email address
Organization managers
- PASS (members)
or
- Federation Partner Charter (partners)
- Identification and access controle inside the Registry
- Federation operator (RENATER) contact needs towards organization managers

11. FAQ

The Registry FAQ is available on this page (french only).