The federation registry is an online service, allowing federation managers from the Research & Education community to manage their SAML entities (identity and service providers), and to register them in one or several federations managed by RENATER. It also allows an unauthenticated access to public information about those entities.

The technical information collected through the registry are then published in the metadata of the registered federations.

The registry allows the registration into different types of federation, listed below:

• Test federation, freely accessible,
• Production federations : Fédération Éducation-Recherche, eduGAIN and local federation. Registrating in a production federation requires to subscribe to Identity Federation service with RENATER.
• Qualification federation, with the same access requirements as the production federations.

Registration process of a SAML entity into one federation is described later in this documetation.

The federation registry provides a test federation (more information), with free access, to quickly test the configuration and proper functioning of its identity provider (IDP) or service provider (SP).

Organizations which want to declare one or more SAML entities in a production federation (Éducation-Recherche, eduGAIN or local federation) must complete beforehand an administrative registration procedure with RENATER.

The registry allows to register a SAML entity in the Fédération Éducation-Recherche (more information).
The Fédération Éducation-Recherche is a service operated by RENATER, it is the production environment for the French education and research community.

The registry allows to register a SAML entity in the eduGAIN inter-federation (more information).
The eduGAIN inter-federation is the interconnection service for national federations. The data published are from GEANT, the operator of eduGAIN.

The registry allows, upon request, to benefit from a local federation (more information in French only).
This service allows organizations or groups of French organizations to define their local federation within the registry operated by RENATER.

The registry allows a SAML entity to be registered in the qualification federation (more info).
The qualification federation has the same access requirements as the production federations (cf. §2.2.1).
This is the qualification environment for the French education and research community, whose conditions are close to the Fédération Éducation-Recherche, without polluting it with irrelevant services.

The service is available at the following address: https://registry.federation.renater.fr.

It allows the user to:

• Access public information - without being authenticated
• Manage SAML entities, once authenticated

Some public information on the registry can be accessed without being authenticated. They are accessible through the upper menu of the welcome page (purple rectangle):

The following is also available:

• Federations : description of the public federations available on the registry (federation presentation web page, list of registered IdPs/SPs, associated metadata files) ;
• Attributes : description of attributes available in a federation context ;
• Service categories : description of available Service Provider categories (types and audience).

Managing SAML entities requires authentication (click on the connection button in the top banner).

Registry authentication process is based on federated identity management.
The user is enabled to authenticate through the IdP of its home organization - given that it has a live IdP. If the organization doesn't have an IdP, one can use a CRU account. In such a case, one will first have to create a CRU account through CRU account management service, before selecting “CRU accounts” in the organization selection screen:

User rights on the registry are computed based on his/her belonging to one of the two user roles described hereafter.

The SAML entity manager - also known as the “entity contact” - is the person accountable for managing the entity on the registry besides of the organization. Entity managers are provided during entity creation.

The Federation manager for the organization is:

• For members organizations: the organization federation contacts declared in PASS, during Identity Federation service subscription;
• For partners organizations: the organization federation contacts provided in the Federation Partner charter (document to be provided filled and signed to subscribe to the Identity Federation service).

(*) Some of the actions issued by an entity manager are subject to moderation by the federation manager for the organization, more specifically:

• Attachment to an organization request;
• Registration into a production federation request.

Here is a scheme of an organization with five attached SAML entities:

• Alice et Bob are the federation managers for organization, they have read/write rights over all five entities
• Alice et Bob are also managers for some SAML entities, but this doesn't give them any further rights
• Charles, Daniel and Ema are managers for one or more SAML entities, they only have read/write rights over those entities

From the registry main page, an authenticated user can:

• Create a new identity provider and/or service provider;
• Visualize all the SAML entities for which he's authorized;
  • If he's one of the organization managers: all the SAML entities attached to his organization:
  • If he's manager of SAML entities: all the SAML entities for which he's set as manager.
• Access to the main operations of a SAML entity: update entity information, attach a SAML entity to an organization, register in one or several federations, moderate request, delete entity, etc;
• Access to his/her user profile info ;
• Access to federations description, attributes and service categories.

The screenshot below provides an overview of the available features:

An authenticated user on the registry can access his/her user profile information via the top banner button already used for login, by clicking on “My Profile “ as shown below:

The user profile page displayed is structured in 2 distinct blocks. The 1st block presents the user's personal information, in particular :

• His/her identity information - name + identifier (EPPN) + email address - provided by his/her identity provider ;
• His/her user role(s) on the registry (SAML entity manager, federation manager for the organization) ;
• His/her home organization - as deduced from his/her identity provider - and corresponding federation managers ;
• Information about the identity provider used for the connection (IDP SAML identifier and authentication method used).

The 2nd block presents the elements managed by the authenticated user on the registry. An example below for a SAML entity manager:

• A user from a member organization logs into the registry using his organization IdP or a CRU account (see § 3.2 above);
• A user from a partner organization logs into the registry using a CRU account (see § 3.2 above);
• Once authenticated, from the Registry main page, he clicks on Create a new service provider or Create a new identity provider, following the type of SAML entity he wants to create.

• He then accesses to the entity creation form, composed of several tabs:
  • For an Identity Provider:

• For Service Provider :

• He fills at least the mandatory information for the entity in all the tabs. Plese find hereafter a quick description of each tab:

• Once all mandatory information provided, the user can submit the form (“submission” tab).
• In the case where the SAML entity has been attached in the former step (case #3), an attachment request is sent by email to the organization managers. The SAML entity will appear with a “pending validation” status, until the request is approved, as illustrated below:

• One of the organization managers validates the attachment request (see § 9.2)
• The entity managers then receive an email notification, stating the attachment has been approved:

• One of the entity managers can now request registration of the entity in a production federation (see § 8):
  • Either by clicking on the entity edition page link, provided in the notification email;
  • Or from the registry main page, by clicking on the entity edit button.

• An entity manager logs into the registry and lands on the main page.
• For a given SAML entity, he first check that it is not in the “pending validation” status (egg-timer not displayed) and that it is effectively attached to an organization. He then clicks on the “edit” button to reach the entity edit page:

• From the “Federations” tab, production federations (thus requiring a valid attachment) are now visible (in the example below, “Fédération Éducation-Recherche” and eduGAIN)

• If the SAML entity satisfies every condition of the forseen production federation, the entity manager can then request its registration, by switching the button, and next confirming his choice:

• On the other hand, registration will not be possible if one of the conditions is not met. In that case, “registration impossible” is displayed with details on missing prerequisites (when flying over the question mark icon), next to the related federation, as illustrated below:

• Once the registration request made, the entity manager submits the form. An email notification is then sent to the organization managers, so they can approve the registration request in the subscribed federation. As long as the request is not approved, the SAML entity appears with a “pending validation” status in the SAML entities list, as illustrated below:

• One of the organization managers approves the registration request (see § 9.3)
• Next, the entity managers receive an email notification, stating that the request has been approved:

An organization manager can reach a SAML entity moderation page in 2 ways:

1. Direct access, by clicking on the link provided in the received notification email (example below):
2. Access from Registry main page, by clicking on the moderation button:

• One of the organization managers access to the SAML entity moderation page (see § 9.1)
• He approves or refuses the attachment to the organization, by switching or not the button, provides additional comments in the dedicated field and then submits the form, as shown below:

• At form submission time, an email notification is sent to the entity managers to let them know about the approval/reject of the attachment request

Same worflow than organization attachment approval (see § 9.2).

Production federation registration request approval page:

Usage of the Registry requires that users provide some contact information.
The following table sums up the requested contact information and the associated usage.

The Registry FAQ is available on this page (french only).