Cliquez ici pour la version française

Federation Registry

1. Service overview

The federation registry is an online service, allowing federation contacts from the Education & Research community to manage their SAML entities (identity and service providers), and to subscribe them in one or several federations managed by RENATER. It also allows an unauthenticated access to public informations about those entities.

The technical informations collected through the registry are then published in the metadata of the subscribed federations.

2. Access to the service

The service is available at the following address : https://federation.renater.fr/registry.

Access to the federation registry requires prior user authentication.

The authentication process is based on the existing identity federation mechanisms. The user can then authenticate through the identity provider of his home organization or alternatively (if his organization do not have one) using a CRU account.

In this last case, the user will have to create his CRU account beforehand through the CRU accounts management service and then select “Comptes CRU” on the connection drop-down box on the registry.


Get more details about the CRU accounts service on this page.

3. Federations available through the registry

The registry allows the registration to different types of federation, listed below :

  • Production federations : Éducation-Recherche, eduGAIN and local federation ;
  • Test federation.

3.1 Registration in a production federation

Organizations which want to declare one or more SAML entities in a production federation (Éducation-Recherche, eduGAiN or local federation) must complete beforehand an administrative registration procedure with RENATER.

Important: Only trusted organizations registered beforehand with RENATER are authorized to declare new SAML entities in a production federation.

The type of SAML entity that can be declared on the registry may also vary according to the status of your organization (member or partner organization) :

  • If you are registered as a member organization (belonging to the R&E community), you can declare any identity or service providers ;
  • If you are registered as a partner organization, you can only declare service providers.

3.2 Fédération Éducation-Recherche

The registry allows to register a SAML entity in the Fédération Éducation-Recherche.

The Fédération Éducation-Recherche is a service operated by RENATER. It offers a trust and technical framework between a set of identity providers (IDP) and service providers (SP), thus enabling its participants to securise and simplify the access to web resources.

Get more details about the Fédération Éducation-Recherche on this page.

3.3 EduGAIN federation

The registry allows to register a SAML entity in the eduGAIN federation.

EduGAIN is a service interconnecting the E&R federations at the international level, which is operated by GEANT.

The standard use cases for eduGAiN are in particular:

  • You manage an IDP and your users need to access an SP registered in eduGAIN ;
  • You manage an SP and you want to open the access to your application to foreign/international users (provided that their home IDPs are registered in eduGAIN).

By default on the registry, the management of the registration to the eduGAIN federation does vary according to the type of SAML entity :

  • If you manage an IDP. Any IDP registered in the Education-Recherche federation is automatically registered in eduGAIN. The IDP administrators that are unwilling to participate to eduGAIN must explicitly deselect the corresponding checkbox on the registry (OPT-OUT principle) ;
  • If you manage an SP. The SP administrators that are willing to participate to eduGAIN must by contrast select the corresponding checkbox on the registry (OPT-IN principle).

Get more details about eduGAIN federation on this page (French only).

3.4 Local federation

The registry offers you the possibility to manage a local federation for your organization, hosted by RENATER.

For an organization, it allows to register SAML entities in its own federation with the same level of trust as the Education-Recherche federation and to publish the metadata file related to this local federation.

Get more details about local federation and its terms of use on this page (French only).

3.5 Test federation

The registry also provides a test federation to quickly test the configuration and check the functioning of your IDP or SP.

Any authenticated user (see §2 above) can declare an IDP or an SP in the test federation, no prior administrative procedure with RENATER is required in this case.

Get more details about the test federation on this page.

4. Registry user roles

4.1 Technical contact

The technical contact is the person in charge of technically operating the SAML entity (IDP/SP) for an organization.

Through the registry, he is authorized to perform the following actions :

  • Create / edit / remove a SAML entity ;
  • List SAML entities for which he is declared as technical contact ;
  • Attach a SAML entity to an organization ;
  • Register a SAML entity in one or more federations available on the registry.

Some of his actions are subject to moderation/validation by the federation contacts of his home organization. In particular :

  • Declare a SAML entity with attachment to an organization ;
  • Register a SAML entity in a production federation ;
  • Update a sensitive parameter (entityID, scope, requested attributes, home organization) of a SAML entity registered in a production federation.

The technical contact must be provided at the first declaration of the SAML entity on the registry (see §5.1 below). Each and every SAML entity created in the registry must have at least one technical contact. There may be two and a generic support email adress can also be provided.

4.2 Federation contact

The federation contact is the first point of contact for an organization about federation matter.

Two federation contacts are mandatory appointed for each organization as part of the administrative registration procedure with RENATER (see §3.1 above).

The completion of the administrative registration procedure by the organization leads to the creation of the information related to this organization on the registry, which includes the email adresses associated to the two federation contacts. This operation is exclusively performed by the administrators of the registry.

On the registry, the federation contact can perform all the actions associated to the “technical contact” role presented above. In addition, he can also :

  • List all the SAML entities attached to his organization ;
  • Validate/moderate some actions performed by the technical contacts of these entities (see §4.1 above).

4.3 Use of contact information within the registry

The email addresses provided for the federation contact (as part of the administrative registration procedure with RENATER) and the technical contact (during the creation of a SAML entity on the registry) serve a twofold purpose :

  1. Access control within the registry (visibility of SAML entities);
  2. Notification and communication of technical informations.
Access control within the registry (visibility of SAML entities)

Given that the access control within the registry is based on the email address, it is required to declare a value corresponding to the “mail” attribute returned by the user connection IDP (i.e. Home Organization or CRU accounts IDP).

  • For a user with the “technical contact” role: he will be able to see and access SAML entities for which the technical contact email address (declared from the “Contacts” tab) matches the one returned by the connection IDP (note that this only applies to the two individual technical email addresses, not to the generic one).
  • For a user with the “federation contact” role: he will be able to see the set of SAML entities attached to his organization if the federation contact email address (declared as part of the administrative registration procedure) matches the one returned by the connection IDP.
Notification and communication of technical informations

The contact email addresses are also used to establish a reliable communication channel between RENATER and organization individuals in order to send notifications (e.g. sending a validation request to the federation contact) or communicate technical information, if need be (e.g. information about technical problems, evolutions of service, etc.).

Beware: In order to ensure a reliable and effective communication channel between you and RENATER, we expressly ask you not to use contact email adresses managed by some kind of helpdesk tool (that would send automatic responses to our mails) or corresponding to some mailing lists which do not allow mail sending to non-suscribers.

5. Registry main operations

5.1 Declaring a new SAML entity

1. A user belonging to the R&E community wants to declare a new SAML entity. He connects to the registry through his home organization IDP or by using a CRU account (see §2 above).

2. Once authenticated on the registry, he clicks on “Add a service provider” or “Add an identity provider” depending on the type of SAML entity he wants to declare :

3. Then he fills the main tabs of the form and submits the creation request :

  • For an IDP:
  • For an SP:
For a test federation use only, the selection of a home organization for the SAML entity (from the “Organization attachment” tab) is optional.

4. If the SAML entity was attached to an organization at the previous step (mandatory for a use in a production federation), the federation contacts of the selected organization receive a notification email to validate the attachment.

As long as the attachment to an organization is not validated by the federation contact, the SAML entity can only be registered in the test federation.

5. The federation contact validates the attachment from the registry :

6. Once the validation by the federation contact is done, the technical contacts declared for the SAML entity (from the “Contacts” tab) receive a notification email.

After step 6, the SAML entity can now be registered in one (or more) of the production federations available on the registry.

5.2 Registering a SAML entity in a federation

1. After being authenticated on the registry, a technical contact of an organization accesses to the list of SAML entities for which he is declared :

2. Considering the list, each column to the right matches a federation. By clicking on one of the black circles, he is directed to the “Federation attachment” tab of the SAML entity editing page :

3. Then he can request the registration to the desired federation by clicking on the “Join” button.

4. If the registration concerns a production federation, a validation request is sent to the federation contacts of the organization.

5. The federation contact validates the registration to the selected production federation from the registry :

6. Once the validation is done by the federation contact, the technical contacts declared for this SAML entity (from the “Contacts” tab) receive a notification email.

5.3 Updating a SAML entity

1. After being authenticated on the registry, a technical contact of an organization accesses to the editing page of the SAML entity he manages (by clicking on the dedicated icon below) :

2. Then he perfoms the required changes and submits the update request. Note that for each update of a SAML entity, a comment resuming the latest changes done must be added before submitting the form :

3. If the SAML entity is registered in a production federation and the change concerns a sensitive parameter (entityID, scope, requested attributes or attachment to an organization), a validation request is sent to the federation contacts of the organization. If not, step 6 is directly applied.

4. The federation contact validates the update of the sensitive parameter(s) for this SAML entity from the registry :

5. Once the validation is done by the federation contact, the technical contacts declared for this SAML entity (from the “Contacts” tab) receive a notification email.

6. The changes submitted on the registry are then applied to the metadata of each subscribed federation.

Important: Once the changes are submitted on the registry, you have to take into account the time needed to see them passed in the metadata of the subscribed federation. Get more details on this page.

6. FAQ

You can consult the federation registry FAQ on this page.