Services provided by Proxy IdP

Owned by Veronika Borovská
Last updated: Jan 13, 2022
2 min read

A filter for WAYF/DS (Where Are You From/Discovery Service)

SP can affect a list of the identity providers on WAYFProxy IdP because WAYF is based on CESNET WAYF (https://www.eduid.cz/cs/tech/wayf ), a filter configuration is going on https://ds.eduid.cz/filter.php. Then provide the value of filter as an attribute filter. In the case of longer filters, we recommend to save the value into a file and provide the link as an attribute efilter. More information about the filter is possible to find here on https://www.eduid.cz/cs/tech/wayf/sp  (in part about Filter Generator).

How to deliver a filter to Proxy IdP

By the attribute AuthnContextClassRef in the protocol SAML 2

SP will set the attribute AuthnContextClassRef:

  • For the filter by the value urn:cesnet:proxyidp:filter:[the value of your generated filter]

  • For the efilter urn:cesnet:proxyidp:efilter:[ a link for a file with the filter]

In the case of fulfilling both filters in the same time, the efilter will be used. The example of setting Shibboleth SP in shibboleth2.xml:

<!-- eduID.cz, eduGAIN, Social --> <SessionInitiator entityID="https://login.cesnet.cz/idp/" type="SAML2" template="bindingTemplate.html" Location="/allfed" id="allfed" relayState="cookie" authnContextClassRef="urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt" />

 

The example of setting Shibboleth SP in Apache web server:

<Location abc> ... ShibRequestSetting authnContextClassRef urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt ... </Location>

Manually by setting SP in Proxy

It´s possible to define a filter but the change must be done by an administrator. In this case, send a request for adding a filter on login@cesnet.cz with the identifier of service and the value of filter/link for a file with a filter.

Proxy can´t control it if gets the correct value of a filter.

In the case when no mentioned option will be chosen, defaultFilter will be used (included federations eduID.cz, eduGAIN,Social a StandaloneIdP).

The access to a particular IdP without WAYF (SAML)

Direct access to a particular IdP is possible to set by the atribute AuthnContextClassRef in the protocole SAML (the value urn:cesnet:proxyidp:idpentityid:[EntityId of the IdP]).

Manual setting of eduPersonScopedAffiliation

Organizations which are not involved in eduID.cz and need to open up services for their users, requiring verification of user´s relation to an organization, can use a function of manual connecting of user´s relation to an organization. The organization establishes responsible persons who can control if a person requiring confirmation of relating, has a formal relate with an organization. The responsible person will get access into Perun system where sees the user´s requests which can be approved or refused. After that, users can require their social identity. Thanks to that, the confidence in anonymous identity is higher.





 

Support: perun@cesnet.cz