1. eduGAIN SP接入(Joining CARSI for eduGAIN SP)
技术调试前需做的准备(Preparation before technical debug):
1.请确保已完成CARSI SP申请和接入流程 (CARSI SP joining process)的前七个步骤(第一步~第七步)。
1.Please ensure that you have completed Steps 1 to 7 of CARSI SP申请和接入流程 (CARSI SP joining process).
2.请仔细阅读 CARSI基本调试要求(CARSI Basic Debugging Requirements)。
2.Please read CARSI基本调试要求(CARSI Basic Debugging Requirements) carefully.
3. 确认SP已加入eduGAIN,通过https://technical.edugain.org/entities可查询。
3. Make sure the SP has already joined eduGAIN, check through https://technical.edugain.org/entities.
技术调试 (Technical debug with CARSI):
1. 向CARSI联盟提交SP配置信息(Add SP info into CARSI)
审批通过后,登陆 CARSI会员自服务系统。
Once the membership is approved, login CARSI Online Helpdesk.
在“我的CARSI->SP管理”中,选择“添加SP”,按照提示完成添加 (关键参数:SP EntityID,请预先和本单位技术人员确认)。
On MyCarsi->SP Mgmt(SAML) page, click Add SP, follow the hints to add your SP (Key attribute: SP Entity ID, please confirm this info with your technical staff beforehand)
2.CARSI产品环境试运行(Trail run your SP on CARSI production environment)
请配置SP的MetadataProvider为:https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml,这是CARSI线上环境的metadata文件地址。此外CARSI的线上DS地址为:https://ds.carsi.edu.cn/ds/index.html。
Please point the MetadataProvider of your SP to https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml, this is the url of CARSI online metadata feed. The url of CARSI online DS is https://ds.carsi.edu.cn/ds/index.html.
请参照模板(用户访问指南&IdP添加指南模板(User Visit Guide & IdP Appending Guide templates))准备两份文档。在准备用户访问指南时,您可能发现无法正确地跳转到CARSI成员高校,这是因为此时我们还未将此SP切换到CARSI正式环境中。这没有关系,您可以选择其它联盟的高校来完成这份文档,待将来正式上线此SP前(下面第4步时)再完善此文档。
Refer the templates 用户访问指南&IdP添加指南模板(User Visit Guide & IdP Appending Guide templates), prepare User Visit Guide & IdP Appending Guide docs. When Preparing the User Visit Guide, you may find out the browser cannot redirect the user to CARSI IdP, because we haven't switched your SP to CARSI production environment yet. It dosen't matter, you could select any other IdP from other federations for now, and update this document before we officially online this SP in the future (Step 4 mentioned below).
准备好以后,请发送邮件给 carsi@pku.edu.cn,申请在CARSI产品环境上线试运行,并将上述2份文档作为附件提供。我们会根据您提供的文档验证登录流程,确认无误后执行上线试运行操作。
Once all the above are ready, send a mail to carsi@pku.edu.cn to apply trail run your SP on CARSI production environment, please attach the above 2 docs. CARSI will check your login process based on the User Visit Guide before we push your SP into CARSI production envirment.
3.SP试运行期间需完成: (Duting the trial run, finish:)
SP试运行期间,请按照CARSI SP申请和接入流程 (CARSI SP joining process)中的第九步进行对接。
During SP trial run, please follow Step 9 of CARSI SP申请和接入流程 (CARSI SP joining process) to finish.
备注(Notice):
CARSI联盟IdP可支持属性参见https://www.carsi.edu.cn/docs/attribute_profile_zh.pdf。其中eduPersonScopedAffiliation属性取值,相较于默认安装SP增加了一个other@scope取值,SP可使用该取值支持与IdP的特殊约定,根据需要调整/etc/shibboleth/attribute-policy.xml配置文件,接受该取值,比如:
Please refer to this page https://www.carsi.edu.cn/docs/attribute_profile_zh.pdf to understand CARSI IdP released attributes, be noticed we have added a value other@scope for eduPersonScopedAffiliation, you may need to modify your /etc/shibboleth/attribute-policy.xml config file to support this value:
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR"> <Rule xsi:type="AttributeValueString" value="faculty"/> <Rule xsi:type="AttributeValueString" value="student"/> <Rule xsi:type="AttributeValueString" value="staff"/> <Rule xsi:type="AttributeValueString" value="alum"/> <Rule xsi:type="AttributeValueString" value="member"/> <Rule xsi:type="AttributeValueString" value="affiliate"/> <Rule xsi:type="AttributeValueString" value="employee"/> <Rule xsi:type="AttributeValueString" value="other"/> </afp:PermitValueRule>
Related pages
版权所有©北京大学计算中心