Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. eduGAIN Connectivity Check 2
  2. Check performed on the IdPs
  3. eduGAIN Connectivity Check 2
  4. Disable Checks
  5. On-line Interfaceinterface

Introduction

The purpose of the eduGAIN Connectivity Check 2 is to identify eduGAIN Identity Providers (IdP) that are not properly configured. In particular it checks if an IdP properly loads and consumes SAML2 metadata which contains the eduGAIN Service Providers (SP). The check results are published on the public eduGAIN Connectivity Check 2 web page (https://technical-test.edugain.org/eccs2/). The main purpose is to increase the service overall quality and user experience of the eduGAIN interfederation service by making federation and Identity Provider operators aware of configuration problems.

...

If this page does not answer to your questions or you need some more information about this service, please contact us on support@edugain.org.

Check performed on the IdPs

The check executed by the service follows these steps:

  1. It retrieves the eduGAIN IdPs from eduGAIN Operator Team database via a JSON interface.
  2. For each IdP that it was not manually disabled by the eduGAIN Operations Team, the check creates a Wayfless URL for each SP involved and retrieves the IdP login page. It expects to find the HTML form with a username and password field. Therefore, no complete login will happen at the Identity Provider because the check stops at the login page. The SPs used for the check are "SP Demo" (https://sp-demo.idem.garr.it/shibboleth) from IDEM GARR AAI and the "AAI Viewer Interfederation Test" (https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth) from SWITCHaai. These SPs might change in the future if needed. The SAML authenticatin request is not signed. Therefore, authentication request for any eduGAIN SP could be created because the SP's private key is not needed.

Limitations

There are some situations where the check cannot work reliably. In those cases it is possible to disable the check for a particular IdP. The so far known cases where the check might generate a false negative are:

  • IdP does not support HTTP or HTTPS with at least SSLv3 or TLS1 or newer (these IdPs are insecure anyway)
  • IdP is part of a Hub & Spoke federation (some of them manually have to first approve eduGAIN SPs)
  • IdP does not use web-based login form (e.g. HTTP Basic Authentication or X.509 login)

Disable Checks

In cases where an IdP cannot be reliably checked, it is necessary to create or enrich the robots.txt file on the IdP's web root with:

User-agent: ECCS
Disallow: /

On-line interface