en:index:documentation:sp:proxy:serivces_proxy

Services provided by Proxy IdP

A filter for WAYF/DS (Where Are You From/Discovery Service)

SP can affect a list of the identity providers on WAYFProxy IdP because WAYF is based on CESNET WAYF (https://www.eduid.cz/cs/tech/wayf), a filter configuration is going on https://ds.eduid.cz/filter.php. Then provide the value of filter as an attribute filter. In the case of longer filters, we recommend to save the value into a file and provide the link as an attribute efilter. More information about the filter is possible to find here on https://www.eduid.cz/cs/tech/wayf/sp (in part about Filter Generator).

How to deliver a filter to Proxy IdP

By the attribute AuthnContextClassRef in the protocol SAML 2

By the attribute AuthnContextClassRef in the protocol SAML 2

SP will set the attribute AuthnContextClassRef:

  • For the filter by the value urn:cesnet:proxyidp:filter:[the value of your generated filter]
  • For the efilter urn:cesnet:proxyidp:efilter:[ a link for a file with the filter]

In the case of fulfilling both filters in the same time, the efilter will be used. The example of setting Shibboleth SP in shibboleth2.xml:

<!-- eduID.cz, eduGAIN, Social  -->
<SessionInitiator entityID="https://login.cesnet.cz/idp/" type="SAML2" template="bindingTemplate.html" Location="/allfed" id="allfed" relayState="cookie" authnContextClassRef="urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt" />

The example of setting Shibboleth SP in Apache web server:

<Location abc>
  ...
  ShibRequestSetting authnContextClassRef urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt
  ...
</Location>

Manually by setting SP in Proxy

It´s possible to define a filter but the change must be done by an administrator. In this case, send a request for adding a filter on login@cesnet.cz with the identifier of service and the value of filter/link for a file with a filter.

Proxy can´t control it if gets the correct value of a filter.

In the case when no mentioned option will be chosen, defaultFilter will be used (included federations eduID.cz, eduGAIN,Social a StandaloneIdP).

The access to a particular IdP without WAYF (SAML)

Direct access to a particular IdP is possible to set by the atribute AuthnContextClassRef in the protocole SAML (the value urn:cesnet:proxyidp:idpentityid:[EntityId of the IdP]).

Manual setting of eduPersonScopedAffiliation

Organizations which are not involved in eduID.cz and need to open up services for their users, requiring verification of user´s relation to an organization, can use a function of manual connecting of user´s relation to an organization. The organization establishes responsible persons who can control if a person requiring confirmation of relating, has a formal relate with an organization. The responsible person will get access into Perun system where sees the user´s requests which can be approved or refused. After that, users can require their social identity. Thanks to that, the confidence in anonymous identity is higher.

The manual for using the service is on (doplním).

Last modified:: 2020/11/24 14:58