Federation Registry

Federation Registry

Create a new Identity Provider

To create an Identity Provider you need the following:

  • Contact details for the Identity Provider to advertise to the federation.
  • Common details such as the Organisation owning the identity provider, a display name that users of the identity provider will recognise and a description of who the identity provider serves
  • The technology stack being used. If you are using Shibboleth you will only need the hostname. If using another implementation you will need to collect the URLS for all SAML 2 endpoints it supports
  • The Public Key your Identity Provider will use to sign and encrypt assertions in the federation. This must have a CN that is equal to your Identity Providers hostname and be self signed
  • A list of the attributes your Identity Provider is able to provide. At a minimum this should be the full set of core attributes

With the above details ready we estimate this process will take around 20 minutes to complete.

1. Primary Contact

Please enter the details you wish to advertise to the federation as the primary contact for this identity provider.

2. Identity Provider Description

Please select the organisation this identity provider belongs to and provide descriptive information below. This will be used in several locations throughout the federation including the discovery service.

Please be aware that due to technical limitations, each organisation can only have one active IdP at any one time. If you require an additional IdP for your organisation, please contact the Tuakiri Support Desk at tuakiri@reannz.co.nz to discuss your options.

3. SAML Configuration

The following information will be used by service providers and end users alike to connect to your identity provider.

Easy registration using defaults

For administrators of commonly used identity provider software we've created an easy registration route. Simply select the software type and provide the URL of your identity provider e.g. https://idp.example.edu.au.

OR

Advanced SAML 2 registration

Tweak the values created using the easy mode above or if you're using a different SAML 2 implementation all together provide your details from scratch here.


Binding: SAML:2.0:bindings:HTTP-POST

Binding: SAML:2.0:bindings:HTTP-Redirect

Binding: SAML:2.0:bindings:SOAP
Index:
Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:SOAP

4. Attribute Scope

Please enter the scope your Identity Provider will use when asserting attributes. Generally this is the base domain for your organisation.

For example if your organisations main web presence is http://www.example.edu.au you'd provide example.edu.au below.

5. Cryptography

The details you provide below will be used for message signing, encryption and client verification between your identity provider and service providers in the federation. You must enter certificates in PEM format below.

6. Supported Attributes

Select the attributes your identity provider supports. The wider the range of attributes you support the more services your end users will be able to access.

Name Category Supported
auEduPersonSharedToken
oid:1.3.6.1.4.1.27856.1.2.5

A unique identifier enabling federation spanning services such as Grid and Repositories 		Core
commonName
oid:2.5.4.3

An individuals common name, typically their full name. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Core
displayName
oid:2.16.840.1.113730.3.1.241

Preferred name of a person to be used when displaying entries. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Core
eduPersonAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.1

Specifies the persons relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. 		Core
eduPersonAssurance
oid:1.3.6.1.4.1.5923.1.1.1.11

This attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Providers identity management processes, type of auth credential used, binding strength, etc. 		Core
eduPersonEntitlement
oid:1.3.6.1.4.1.5923.1.1.1.7

Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community 		Core
eduPersonScopedAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.9

This attribute enables an organisation to assert its relationship with the user. 		Core
eduPersonTargetedID
oid:1.3.6.1.4.1.5923.1.1.1.10

A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities 		Core
email
oid:0.9.2342.19200300.100.1.3

Preferred address for e-mail to be sent to this person 		Core
organizationName
oid:2.5.4.10

Standard name of the top-level organization (institution) with which the user is associated. 		Core
auEduPersonAffiliation
oid:1.3.6.1.4.1.27856.1.2.1

Specifies a persons relationship to the institution in broad categories but with a finer-grained set of permissible values than eduPersonAffiliation. 		Optional
auEduPersonLegalName
oid:1.3.6.1.4.1.27856.1.2.2

The users legal name, as per their passport, birth certificate, or other legal document 		Optional
eduPersonOrcid
oid:1.3.6.1.4.1.5923.1.1.1.16

ORCiD.org ID uniquely identifying a researcher. 		Optional
eduPersonPrimaryAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.5

Specifies the persons PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc. 		Optional
eduPersonPrincipalName
oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson per Internet2 and EDUCAUSE 		Optional
givenName
oid:2.5.4.42

Given name of a person 		Optional
homeOrganization
oid:1.3.6.1.4.1.25178.1.2.9

Users Home Organization 		Optional
homeOrganizationType
oid:1.3.6.1.4.1.25178.1.2.10

Type of Organization the user belongs too 		Optional
mobileNumber
oid:0.9.2342.19200300.100.1.41

Mobile phone number 		Optional
organizationalUnit
oid:2.5.4.11

Organizational Unit currently used for faculty membership of staff 		Optional
postalAddress
oid:2.5.4.16

Business postal address: Campus or office address 		Optional
surname
oid:2.5.4.4

Surname or family name 		Optional
telephoneNumber
oid:2.5.4.20

Office or campus phone number of the individual 		Optional

7. Identity provider ready to be registered

You've now supplied all data required to register a new identity provider. If you'd like to change anything or review your input please do so now. When you are ready to finalise your registration click the submit button below.