Home » eduroam Setup » Enabling eduroam Configuration Assistant Tool (cat.eduroam.org)

Enabling eduroam Configuration Assistant Tool (cat.eduroam.org)

Posted
on October 20, 2017

Introduction

The service to help configure eduroam is called ‘Configuration Assistant Tool’ or ‘CAT’ for short form.
The steps to access CAT with your home credentials are to:

1. Send a notification to tickets@canarie.ca to opt-in

This request can happen at any time as well as when you sign up for service with CAF.

2. Provide an updated entity metadata element to CAF for eduGAIN publishing.

Your entity descriptor needs to pass validation with the eduGAIN validator at http://www.edugain.org/Metadata/

Specific elements needed to pass the validator are:

  • MDRPI Extensions (CAF will add these as we need to register your ‘registration instant’ but is needed for validation.  This is located right after the <EntityDescriptor> opening tag and before the IDPSSODescriptor opening tag. e.g.:
<Extensions>
< mdrpi:RegistrationInfo xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" registrationAuthority="http://www.canarie.ca" registrationInstant="2012-08-28T00:00:00Z">
< mdrpi:RegistrationPolicy xml:lang="en">
http://www.canarie.ca/templates/services/docs/CAF_join_en.pdf
< /mdrpi:RegistrationPolicy>
< /mdrpi:RegistrationInfo>
< /Extensions>
  • Right After the IDPSSODescriptor and before the KeyDescriptor tags, we have the MDUI elements that need to be populated with the appropriate information for your entity. CANARIE’s is shown below:
<Extensions>
< shibmd:Scope xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" regexp="false">canarie.ca</shibmd:Scope>
< mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
< mdui:DisplayName xml:lang="en">CANARIE</mdui:DisplayName>
< mdui:DisplayName xml:lang="fr">CANARIE</mdui:DisplayName>
< mdui:Description xml:lang="en">Canadaâs Advanced Research and Innovation Network</mdui:Description>
< mdui:Description xml:lang="fr">
Le réseau évolué de recherche et d'innovation du Canada
< /mdui:Description>
< mdui:InformationURL xml:lang="en">http://www.canarie.ca/en/about/aboutus</mdui:InformationURL>
< mdui:InformationURL xml:lang="fr">http://www.canarie.ca/fr/a-propos/quinoussommes</mdui:InformationURL>
< /mdui:UIInfo>
< /Extensions>
  • An updated Organization block that has both English and French elements are recommended to properly render in both languages. You may provide additional ones for any other language, but en and fr are the minimum required.
<Organization>
< OrganizationName xml:lang="en">CANARIE</OrganizationName>
< OrganizationName xml:lang="fr">CANARIE</OrganizationName>
< OrganizationDisplayName xml:lang="en">Canada's Advanced Research and Innovation Network</OrganizationDisplayName>
< OrganizationDisplayName xml:lang="fr">
Le réseau évolué de recherche et d'innovation du Canada
< /OrganizationDisplayName>
< OrganizationURL xml:lang="en">http://www.canarie.ca/en/about/aboutus</OrganizationURL>
< OrganizationURL xml:lang="fr">http://www.canarie.ca/fr/a-propos/quinoussommes</OrganizationURL>
< /Organization>

There are additional elements to help findability of your IdP as any part of the MDUI OASIS specification can be added (see: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.html )

Once you have your metadata passing validation, send it to tickets@canarie.ca to update and we will publish it.

3. Configure the metadata trust in your IdP

The eduGAIN aggregate is separate from the CAF metadata aggregate and can be added to your idp right below the caf entry in relying-party.xml and should look like this:

<metadata:MetadataProvider id="URLMD2" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                         metadataURL="https://caf-shib2ops.ca/CoreServices/caf_interfed_signed.xml"
                         backingFile="/opt/shibboleth-idp/metadata/caf_interfed_signed.xml" cacheDuration="3600">
                 <metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                 <metadata:MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                 trustEngineRef="federation-metadata-signer"
                                 requireSignedMetadata="true" />
                 </metadata:MetadataFilter>
         </metadata:MetadataProvider>

Key elements of the above snippet are:

  • The location of the interfed feed: https://caf-shib2ops.ca/CoreServices/caf_interfed_signed.xml
  • Enabled Signature Validation of the aggregate which uses the caf signing key (above example links to relying-part.xml element ‘federation-metadata-signer’ which points to the CAF public cert to validate the file:
<security:TrustEngine id="federation-metadata-signer" xsi:type="security:StaticExplicitKeySignature">
                 <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
                         <security:Certificate>/opt/shibboleth-idp/credentials/md-signer.crt</security:Certificate>
                 </security:Credential>
         </security:TrustEngine>
  • a CacheDuration of 3600 minutes or 10hrs. (CAF’s eduGAIN metadata aggregate is generated nightly and occasionally on demand)

Once you have added this metadata aggregate and restarted your IdP, your policies will start finding entities that will match for attribute release.

4. Create policy for cat.eduroam.org attribute release

The attribute-filter.xml file needs to have this policy in place before your sign on will function

<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp" />
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="cn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>

5. Request your domain to be delegated to you for the CAT tool

eduroam administrators have privileged capabilities in configuring their environment in the CAT system and you need to request access. This access request should come from the designated admin CANARIE has on file. Once the admin is granted, that admin can further assign privileges and other admins as needed but only for their domain.

Send a request to tickets@canarie.ca for access and the invitation will be issued to the technical contact on file with CANARIE for the eduroam system.

It is likely that the tech contact for FedSSO and eduroam are two different people. In these cases the invitation will be sent to the eduroam contact.

We recommend that the FedSSO and eduroam site contacts co-ordinate their efforts to avoid confusion.

6. Build your profiles by logging into cat.eduroam.org with your IdP

The CAT tool is designed around a set of site/domain wide defaults for eduroam then profiles are created with the necessary configuration pieces.
For more detail about eduroam CAT and the configuration capabilities, please see:  https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators