Connect An Identity Provider To The SGAF

How to connect SAML 2.0 enabled Identity Providers to the SGAF

Shibbobleth Identity Providers

SGAF Local Metadata: https://ds.sgaf.org.sg/distribution/metadata/sgaf-metadata.xml
SGAF eduGAIN Metadata: https://ds.sgaf.org.sg/distribution/metadata/sgaf-edugain.xml
SGAF Metadata Signing Certificate: https://ds.sgaf.org.sg/distribution/metadata/updated_metadata_cert.pem

  1. Create an Organisation for your institution using the following technical document: Create an Organisation in SGAF,
  2. Wait for the Federation Administrator to approve the new organisation,
  3. Register your Shibboleth Identity Provider using your newly created Organisation in Identity Provider Description,
  4. Select the appropriate attributes that the Identity Provider will supply,
  5. Submit request and wait for approval via email.
  6. Load the SGAF Local Metadata, SGAF-signed eduGAIN Metadata and the SGAF Metadata Signing Certificates within the Shibboleth IdP relying-party.xml or equivalent file.
  7. Reload the Shibboleth IdP
  8. Once you receive the confirmation email and loaded in the SGAF metadata chain within your IdP, connect to the Federation Registry and become the administrator for both the Organisation and Identity Provider.
  9. Follow the instructions given by the confirmation emails of both the Organisation and Identity Provider to complete this process.

Note: Your identity provider will become active within the Singapore Access Federation 24 hours after approval.

relying-party.xml MetadataProvider snippet

<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">

        <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="/opt/virtualhome/shibboleth/shibboleth-idp/shibboleth-idp-2.4.4/metadata/idp-metadata.xml"
                                   maxRefreshDelay="P1D" />

        <metadata:MetadataProvider id="FedMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="/opt/virtualhome/shibboleth/shibboleth-idp/shibboleth-idp-2.4.4/metadata/federation-metadata.xml"
                                   maxRefreshDelay="PT10M">
          <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
            <metadata:MetadataFilter  xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P7D" />

            <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
                <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
              </metadata:MetadataFilter>
              <metadata:MetadataFilter xsi:type="metadata:SchemaValidation"/>
          </metadata:MetadataFilter>
        </metadata:MetadataProvider>
        <metadata:MetadataProvider id="EGMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="/opt/virtualhome/shibboleth/shibboleth-idp/shibboleth-idp-2.4.4/metadata/edugain-metadata.xml"
                                   maxRefreshDelay="PT10M">
          <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
            <metadata:MetadataFilter  xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P7D" />

            <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
                <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
              </metadata:MetadataFilter>
              <metadata:MetadataFilter xsi:type="metadata:SchemaValidation"/>
          </metadata:MetadataFilter>
        </metadata:MetadataProvider></metadata:MetadataProvider>
        <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticPKIXSignature">
          <security:ValidationInfo id="AAFCredentials" xsi:type="security:PKIXFilesystem">
            <security:Certificate>/opt/virtualhome/shibboleth/shibboleth-idp/shibboleth-idp-2.4.4/credentials/metadata.crt</security:Certificate>
          </security:ValidationInfo>
          <security:ValidationInfo id="EGCredentials" xsi:type="security:PKIXFilesystem">
            <security:Certificate>/opt/virtualhome/shibboleth/shibboleth-idp/shibboleth-idp-2.4.4/credentials/metadata.crt</security:Certificate>
          </security:ValidationInfo>
        </security:TrustEngine>

ADFS and Single-Metadata-Entity-Ingesting Identity Providers

Use SGAF Proxy Metadata: https://sgaf.singaren.net.sg/simplesaml/module.php/saml/sp/metadata.php/proxy-sp

ADFS and other Single-Metadata-Entity-Ingesting Identity Providers will need to connect to the SGAF Proxy as they are unable to load or have a difficult time with multi-entity metadata.

Note: Your identity provider will become active within the Singapore Access Federation 24 hours after approval.