服务于教学科研的应用系统,通过https://www.carsi.edu.cn/reg 在线提交CARSI加入申请,选择成为“SP会员”。
Applications serving for education and research, please apply CARSI membership through https://www.carsi.edu.cn/reg , apply to be a SP member。
...
技术调试前需做的准备(Preparation before technical debug):
1. 请联系两所IdP服务已在CARSI上线的高校,作为应用服务提供商的推荐单位, CARSI在审批贵单位会员资格时需要这2所高校的确认。请确保已完成CARSI SP申请和接入流程 (CARSI SP joining process)的前七个步骤(第一步~第七步)。
1.Please contact 2 CARSI IdP members, a SP member must have 2 full members as the referrer, CARSI needs the confirmations from these 2 IdP members before approving your membershipensure that you have completed Steps 1 to 7 of CARSI SP申请和接入流程 (CARSI SP joining process).
2.请仔细阅读 https://www.carsi.edu.cn/join_zh.htm 页文件。 CARSI基本调试要求(CARSI Basic Debugging Requirements)。
3. Please read the documents on https://www.carsi.edu.cn/join_en.htm carefully.
3. 请准备好公司及SP产品介绍,内容模板参见 SP提供商公司及产品介绍模板(SP Introduction Template)。
3. Please prepare an introduction of your company and the SP products based on this template: SP提供商公司及产品介绍模板(SP Introduction Template).
具体申请流程参见CARSI联盟加入流程。
Please refer to CARSI联盟加入流程 for the whole joining process.
成功提交在线申请后(After the online application form is submitted):
请打印并邮寄自动生成pdf到指定地址,等待审批。
Please print(pdf), sign, seal the application form, send the hard copy to CARSI team, then wait for the approval of your membership.2.Please read CARSI基本调试要求(CARSI Basic Debugging Requirements) carefully.
技术调试 (Technical debug with CARSI):
...
审批通过后,登陆 CARSI会员自服务系统 用户名为申请时填写的单位域名,缺省密码为申请时填写的项目负责人手机号,首次登录后请修改密码。。
Once the membership is approved, login CARSI Online Helpdesk (Username is your domain in the application form, default password is the Project Manager's Chinese Mobile number),please change your password after login.
.png?version=1&modificationDate=1630650205870&cacheVersion=1&api=v2&height=250)
.
在“我的CARSI->SP管理”中,选择“添加SP”,按照提示完成添加 SP并上传metadata文件。
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#通过yum源的方式安装(install through yum)
[root@www ~]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo -P /etc/yum.repos.d
[root@www ~]# yum install shibboleth
[root@www ~]# systemctl start shibd
[root@www ~]# systemctl enable shibd
[root@www ~]# systemctl restart httpd
#配置SP受保护资源目录(config producted dir)
[root@www ~]# vi /etc/httpd/conf.d/shib.conf
#line 49
<Location /secure> /secure 指的是受保护资源的目录,按照需要自行修改 protected dir, change it based on your demand
#配置SP entityID(config SP Entity ID)
[root@www ~]# vi /etc/shibboleth/shibboleth2.xml
#将(replace):
ApplicationDefaults entityID="https://sp.example.org/shibboleth"
#改为(with):
ApplicationDefaults entityID="https://[sp域名]/shibboleth"
#将(replace)
<SSO entityID="https://idp.example.org/idp/shibboleth" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
#改为(with)
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://dspre.carsi.edu.cn/ds/index.html">
SAML2
</SSO>
#在<ApplicationDefaults>代码块内增加(/etc/shibboleth/carsifed-metadata-pre.xml为待生成的metadata备份文件) Add in <ApplicationDefaults> block(/etc/shibboleth/carsifed-metadata-pre.xml is the backup metadata file to be generated)
<MetadataProvider type="XML" url="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml"
backingFilePath="/etc/shibboleth/carsifed-metadata-pre.xml" legacyOrgNames="true" reloadInterval="600" >
</MetadataProvider>
[root@www ~]# systemctl start shibd
[root@www ~]# systemctl enable shibd
[root@www ~]# systemctl restart httpd
|
2.
...
登陆 CARSI会员自服务系统,在”我的CARSI“-”基本信息“页面根据模板文件添加SP单位的介绍文档。
Login CARSI Online Helpdesk, on MyCarsi->Basic page, add your SP Introduction document.
...
在预上线环境进行认证测试(Test on pre-production environment)
参考文档访问待测试SP应用的CARSI登录链接,参考文档IdP4:访问CARSI资源门户 (通过浏览器),使用联盟提供的测试IdP及其账号,在预上线环境测试SP服务。可根据SP访问控制的需要,测试需要获得的IdP用户属性。(发送邮件到 carsi@pku的步骤,使用联盟提供的测试IdP及其账号(发送邮件到carsi@pku.edu.cn 获取测试IdP及其账号)。获取),在预上线环境测试SP服务。可根据SP访问控制的需要,检查IdP用户属性是否正常。
Refer Visit the CARSI login url of your SP, refer to IdP4:访问CARSI资源门户 (通过浏览器), use use the test IdP and test account provided by CARSI (Send a mail to carsi@pku.edu.cn to apply a test IdP and test account) to test this SP on CARSI pre-production environment. Please pay attention to the attributes released by the IdP. ( Send a mail to carsi@pku.edu.cn to apply a test IdP and test account).
...
3.SP服务页面标明是CARSI会员(Add a CARSI entrance on SP service page)
CARSI联盟建议会员单位在SP服务主页面或用户登录页面,以醒目方式(如放置logo)标明我单位为CARSI 身份联盟会员或提供独立的CARSI登录入口。参见 使用CARSI logo。
CARSI suggests SP add a CARSI entrance (eg. logo) on SP home page or login page, so the end users could easily find this entrance. You can find CARSI logo here: 使用CARSI logo。
...
4.CARSI产品环境试运行(Trail run your SP on CARSI production environment)
请参照模板(用户访问指南&IdP添加指南模板(User Visit Guide & IdP Appending Guide templates))准备两份文档。
...
Once all the above are ready, send a mail to carsi@pku.edu.cn to apply trail run your SP on CARSI production environment, please attach the above 2 docs. CARSI will check your login process based on the User Visit Guide before we push your SP into CARSI production envirment. Please tell us your testing url if it is different from the production one.
...
5.切换到生产环境,试运行测试(Switch to CARSI production environment,test on it)
收到上线成功邮件,意味着该SP metadata已合并到CARSI联盟的线上环境metadata中:https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml。您需将SP的MetadataProvider从同步预上线环境metadata文件 https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml 修改为同步该文件, 将所有引用预上线环境的DS(https://dspre.carsi.edu.cn/ds/index.html)的地方改为引用线上环境DS (https://ds.carsi.edu.cn/ds/index.html)。
Once your have received online notification email, it means the SP metadata is merged to CARSI online production environment: https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml. Now you need to change your SP MetadataProvider form synchronizing https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml (pre-production) to this one, and change any reference to CARSI DS from https://dspre.carsi.edu.cn/ds/index.html (pre-production) to https://ds.carsi.edu.cn/ds/index.html (production).
...
6.SP试运行期间需完成: (Duting the trail run:)
试运行期间,SP metadata被添加到产品环境,但服务还没有在CARSI网站SP成员列表公布。SP管理员可在此期间检查是否正式提供服务的准备工作是否完成,如切换资源页面、为学校开放权限、准备产品环境的用户访问流程文档等。
During the trail run, your SP metadata is added to CARSI production envirment, but it is not listed on the SP product list page yet. Please ensure all the preparations before your SP could officially provide services to CARSI members are ready, eg. your web page for CARSI login, resource management for CARSI members, the docs, etc.
请开通北京大学线上环境IdP(https://idp.pku.edu.cn/idp/shibboleth)的访问权限,我们需要以北京大学IdP测试通过为准。如果北京大学不是贵司的采购用户,在测试通过后可以取消相关权限。
Please enable the access for Peking University official IdP (https://idp.pku.edu.cn/idp/shibboleth), we will test based on this IdP. If Peking University is not a customer of your resources, feel free to disable the access after the test finishes.
请在 CARSI会员自服务系统中添加(我的SP资源)用于在CARSI资源门户、CARSI的SP成员列表等页面展示贵单位资源(产品)的实体,包括用户访问流程、学校服务开通流程2份文档(docx格式,万一有小问题我们可以直接帮助您修改)。
Please add your resources (including docx format User Visit Guide & IdP Appending Guide) through CARSI Online Helpdesk (My SP Resources), these resources will be used to show your resources(products) on CARSI Resource Portal, CARSI SP product list pages.
和北大CARSI团队老师一起完成SP上线复测。
Finish all the testing with PKU CARSI Team.
8.CARSI网站SP成员列表公布,正式提供服务(Officially online, and show on SP product list page)
确认文档、测试全部无误后,给 carsi@pku.edu.cn发送邮件,申请正式在CARSI网站SP成员列表公布该SP。
Once everything mentioned above is ready, send a mail to carsi@pku.edu.cn to apply officially online your SP, it will be shown on SP product list page then SP试运行期间,请按照CARSI SP申请和接入流程 (CARSI SP joining process)中的第九步进行对接。
During SP trial run, please follow Step 9 of CARSI SP申请和接入流程 (CARSI SP joining process) to finish.
备注(Notice):
CARSI联盟IdP可支持属性参见https://www.carsi.edu.cn/docs/attribute_profile_zh.pdf。其中eduPersonScopedAffiliation属性取值,相较于默认安装SP增加了一个other@scope取值,SP可使用该取值支持与IdP的特殊约定,根据需要调整/etc/shibboleth/attribute-policy.xml配置文件,接受该取值,比如:
...