AAF logo search

Tech Resources

IdP V3: Upgrade now

(collapse)

Upgrade to Shibboleth IdP V3 now!

With the End-of-Life (EOL) of Shibboleth V2 on July 31, 2016, the AAF has been working with subscribers to prepare them for the upgrade to V3. In late 2015, the AAF released the IdP Installer which helps Identity Providers (IdPs) setup, configure and upgrade their IdP to Shibboleth V3. The new installer streamlines general maintenance and upgrade work while providing IdPs with:

Recommendations

For more information about the IdP Installer and how to get started with your upgrade, view our self-help resources online:

List of Organisations who have completed IdP V3 upgrade
University of New South Wales
University Of Adelaide
Bond University
Western Sydney University
Swinburne University of Technology
University Of Southern Queensland(USQ)
University of Queensland
University of Notre Dame
Edith Cowan University
University Of Melbourne
eResearch South Australia
University of Newcastle
Murdoch University
University Of Canberra
AARNet
University of Tasmania
LaTrobe University
Central Queensland University
University of Western Australia
University of Wollongong
Curtin University


Contact AAF Support if you would like to discuss your Shibboleth IdP V3 upgrade by emailing support@aaf.edu.au

Metadata Sources

(collapse)

In 2016 the AAF published three metadata documents:

  1. https://md.aaf.edu.au/aaf-metadata.xml – Containing all AAF subscribers

  2. https://md.aaf.edu.au/aaf-edugain-metadata.xml – Containing IdP and SP which have been approved for consumption by AAF subscribers from the global eduGAIN metadata source

  3. https://md.aaf.edu.au/aaf-edugain-export-metadata.xml – Containing AAF subscribed IdP and SP which have been approved for publishing to the global eduGAIN metadata source

All of these metadata documents are signed by the AAF.

Subscribers must use the public key available at https://md.aaf.edu.au/aaf-metadata-certificate.pem to verify metadata documents whenever they are retrieved.

To confirm that you have obtained the correct key ensure the file you have downloaded conforms to the following:

$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem

subject= /O=Australian Access Federation/CN=AAF Metadata notBefore=Nov 24 04:27:20 2015 GMT notAfter=Dec 9 04:27:20 2035 GMT SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A

Style and Usability Recommendations

(collapse)

Background

Navigating to a particular Service through a federated environment can be quite a complex and confusing process to an end-user or researcher; however, there are ways for Service Providers to improve the user experience of their Service for a more unified integration. The Research and Education Federations (REFEDs), a membership group of identity federations from around the world, undertook a project to support service providers implementing access management. Named the Discovery Project, it aimed to achieve the most effective way to present federated identity to users, with best practices and examples of how to provide the best experience.

Style and Usability Recommendations

The REFEDs Discovery Project has produced a Best Practice Guide for Service Providers implementing access management, available for use from the REFEDs website: http://discovery.refeds.org/guide/. This Guide is also available as an interactive demonstration via this link: http://discovery.refeds.org/demo/. This Guide explains how to implement federated login in a way which protects your brand, improves user satisfaction, and increases successful logins. The four best practices are displayed below, and available in more detail from the Best Practice Guide.

Not only did the Discovery Project produce a list of best practices, they also produced several examples of practices to avoid:

These bad practices are outlined in more detail on the REFEDS site.

Usage

Service Providers are encouraged to use the recommendations produced by the REFEDs Discovery Project to improve access management for a more consistent and unified approach.

AAF Assurance Framework

(collapse)

The Assurance Framework used within the AAF is the NIST Electronic Authentication Guideline – NIST SP 800-63-2. The NIST guideline forms the basis of many assurance frameworks used internationally and was selected with a view to being interoperable with other federations.

Within the AAF, assurance is separated into two concepts. Two values are asserted in the eduPersonAssurance attribute, one for each of these concepts.

Identity Assurance: The strength of the processes used to identify the user at the time of user registration. This is indicated by a value asserted in the eduPersonAssurance attribute of the format urn:mace:aaf.edu.au:iap:id:.[level], where level is a value from 1 to 2. Token and Credential Management Assurance: The strength of the token used and the strength of the processes used to manage tokens and credentials. This is indicated by a value asserted in the eduPersonAssurance attribute of the format urn:mace:aaf.edu.au:iap:authn:[level], where level is a value from 0 to 2. Together, these two values make up the Level of Assurance (LoA) associated with a user’s authentication.

Note that additional information about the particular authentication instance may be obtained from the value of AuthnContext asserted as part of the SAML transaction.

This AAF Assurance Framework is for Level of Assurance (LoA) 1 and LoA 2. Over time the AAF may amend this Framework to include other assurance levels.

For more information about the AAF Assurance Framework and moving to LoA1 or LoA2 please visit the knowledge base.

Recommendations on the use of personal information

(collapse)

Within the framework of the Australian Access Federation, identity providers pass information about individual end users to service providers in the form of attribute assertions. The service provider uses the attributes for authorisation and for providing a better service to the end user.

The policies and technologies behind the AAF are intended to protect user privacy while making it easier for users to access resources. However, because AAF Subscribers are handling information about individuals, there is also a potential risk to individual privacy if the information is not handled correctly. These recommendations are intended to help AAF Subscribers have a better understanding of handling personal information within the context of the federation.

Authoriative Sources of Information

Information privacy in Australia is regulated by the Privacy Act 1988. The Act includes a set of Information Privacy Principles that apply to government agencies, and a set of National Privacy Principles that apply to other types of organisations. (Law reform currently in progress may integrate these two sets of principles into one set of Australian Privacy Principles.) All AAF Subscribers are strongly encouraged to become familiar with the Guidelines to the Australian Privacy Principles. These are available on the website for the Office of the Australian Information Commissioner.

Many States also have their own privacy legislation.

For more information about the Recommendations on the Use of Personal Information.

AAF Core Attributes

(collapse)

The following is the list of core attributes used within the AAF. AAF Identity Providers need to collect or generate the core attributes regarding their end users. When an end user tries to access a service via the federation, the Service Provider may request some or all of these attributes about the end user from the Identity Provider. With end user permission, the Identity Provider may release the attributes to the Service Provider.

The attributes are used by the Service Provider to make authorisation decisions and to manage the user’s experience with the service. Service Providers should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of AAF Subscribers.

Attribute Example Value Description
auEduPersonSharedToken ZsiAvfxa0BXULgcz7QXknbGtfxk A unique identifier enabling federation spanning services such as Grid and Repositories.
displayName Jack Liam Dougherty Preferred name of a person to be used when displaying entries.
eduPersonAffiliation faculty Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
eduPersonEntitlement urn:mace:washington.edu:confocalMicroscope http://www.sirca.org.au/contract/GL123 URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonScopedAffiliation faculty@uq.edu.au Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.
eduPersonTargetedID https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw= A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
AuthenticationMethod urn:mace:aaf.edu.au:iap:authn:1 Set of URIs that assert compliance with specific standards for authentication method.
eduPersonAssurance urn:mace:aaf.edu.au:iap:id:1 Set of URIs that assert compliance with specific standards for identity assurance.
cn Jack Dougherty User’s first name then surname.
o (or organizationName) The University of Queensland Standard name of the top-level organization (institution) with which this person is associated.
mail j.dougherty@uq.edu.au Email address, single value. User’s preferred outward facing email address with regard to the organisation.

[List of Core Attributes as documented in Appendix 1 of the Federation Rules for Participants]

We also recommend you implement the following attribute not currently in the Core list. It can assists in interacting with some federation services.

Attribute Example Value Description
schacHomeOrganization uq.edu.au Specifies a person’s home organization using the domain name of the organization.
schacHomeOrganizationType University Specifies a person’s home organizations type.
givenName Sally A persons first name or preferred name
sn (surname) Jones A persons surname

Detailed information about these attributes can be found in the auEduPerson Definition and Attribute Vocabulary.

Many other attributes are listed in this document in addition to the AAF core attributes. Together they form a standard attribute vocabulary for the sector and federation subscribers may find it useful to explore additional user attributes; however AAF Identity Providers are only required to support those attributes in the core list.

The LDAP Schema definitions (LDIFs) needed to extend your directory can be found at the follow links:

Further information about the responsibilities of AAF subscribers in managing user attributes can be found in the Federation Rules.

Registrations in the urn:mace:aaf.edu.au namespace

(collapse)

Registrations in the urn:mace:aaf.edu.au namespace

MACE has delegated responsibility for the urn:mace:aaf.edu.au namespace to the Australian Access Federation.

Internet2/MACE Uniform Resource Name (URN) registry RFC 3613 defines the “urn:mace” namespace and describes the procedures and policies governing it’s use.

Namespaces administered by Australian Access Federation:

Namespace Org Contact Date registered Description
urn:mace:aaf.edu.au AAF Terry Smith 2007-10-10  
urn:mace:aaf.edu.au:iap:id:1 AAF Terry Smith 2012-01-01 Level 1 of Identity Assurance
urn:mace:aaf.edu.au:iap:id:2 AAF Terry Smith 2012-01-01 Level 2 of Identity Assurance
urn:mace:aaf.edu.au:iap:authn:1 AAF Terry Smith 2012-01-01 Level 1 of Authentication Assurance
urn:mace:aaf.edu.au:iap:authn:2 AAF Terry Smith 2012-01-01 Level 2 of Authentication Assurance
urn:mace:aaf.edu.au:shibboleth:attribute-def:exlibrisid AAF Terry Smith 2015-10-14 Attribute name for the Primary identifier used in Patron
Directory Services for ExLibris products