2. 自建Shibboleth SP接入(Joining CARSI for Shibboleth SP)

        服务于教学科研的应用系统,通过https://www.carsi.edu.cn/reg 在线提交CARSI加入申请,选择成为“SP会员”。

        Applications serving for education and research, please apply CARSI membership through https://www.carsi.edu.cn/reg , apply to be a SP member。

提交申请前需做的准备(Preparations before submitting online request):

        1. 请联系两所IdP服务已在CARSI上线的高校,作为应用服务提供商的推荐单位, CARSI在审批贵单位会员资格时需要这2所高校的确认。

        1. Please contact 2 CARSI IdP members, a SP member must have 2 full members as the referrer, CARSI needs the confirmations from these 2 IdP members before approving your membership.

        2. 请仔细阅读https://www.carsi.edu.cn/join_zh.htm 页文件。

        3. Please read the documents on https://www.carsi.edu.cn/join_en.htm carefully.

        3. 请准备好公司及SP产品介绍,内容模板参见 SP提供商公司及产品介绍模板(SP Introduction Template)

        3. Please prepare an introduction of your company and the SP products based on this template: SP提供商公司及产品介绍模板(SP Introduction Template).

        具体申请流程参见CARSI联盟加入流程

        Please refer to CARSI联盟加入流程 for the whole joining process. 

成功提交在线申请后(After the online application form is submitted):

        请打印并邮寄自动生成pdf到指定地址,等待审批。

        Please print(pdf), sign, seal the application form, send the hard copy to CARSI team, then wait for the approval of your membership. 

技术调试 (Technical debug with CARSI):

1. 向CARSI联盟提交SP配置信息(Add SP info into CARSI)

        审批通过后,登陆 CARSI会员自服务系统 用户名为申请时填写的单位域名,缺省密码为申请时填写的项目负责人手机号,首次登录后请修改密码。

        Once the membership is approved, login CARSI Online Helpdesk (Username is your domain in the application form, default password is the Project Manager's Chinese Mobile number),please  change your password after login.

        在“我的CARSI->SP管理”中,选择“添加SP”,按照提示完成添加 SP并上传metadata文件。

        On MyCarsi->SP Mgmt(SAML) page, click Add SP, follow the hints to add your SP and its metadata.

        添加完SP后,该SP即合并到CARSI联盟的预上线环境metadata中:https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml

        Once added, the metadata of this SP would be merged into CARSI pre-production environment: https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml.

        请将此metadata加入到SP本地的MetadataProvider中,可参考以下步骤进行配置:

        Please configure your SP to use this metadata in MetadataProvider, for example:

        a. 将SSO配置为CARSI的SAMLDS服务:

        a. set SSO discoveryURL to be CARSI SAMLDS service (pre-production):

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://dspre.carsi.edu.cn/ds/index.html">
               SAML2
</SSO>

        b. 添加CARSI的metadata到MetadataProvider中:

        b. Add CARSI pre-production metadata to MetadataProvider:

<MetadataProvider type="XML" url="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml"            
backingFilePath="/etc/shibboleth/carsifed-metadata-pre.xml" legacyOrgNames="true" reloadInterval="600" >
</MetadataProvider>

        这是一个新安装SP的环境配置,仅供参考:

        These are the steps for installing a new SP, just for your reference:

#通过yum源的方式安装(install through yum)
[root@www ~]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo -P /etc/yum.repos.d
[root@www ~]# yum install shibboleth
[root@www ~]# systemctl start shibd  
[root@www ~]# systemctl enable shibd
[root@www ~]# systemctl restart httpd

#配置SP受保护资源目录(config producted dir)
[root@www ~]# vi /etc/httpd/conf.d/shib.conf
#line 49
<Location /secure> /secure 指的是受保护资源的目录,按照需要自行修改  protected dir, change it based on your demand

#配置SP entityID(config SP Entity ID)
[root@www ~]# vi /etc/shibboleth/shibboleth2.xml

#将(replace):
ApplicationDefaults entityID="https://sp.example.org/shibboleth"
#改为(with):
ApplicationDefaults entityID="https://[sp域名]/shibboleth"

#将(replace)
<SSO entityID="https://idp.example.org/idp/shibboleth" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
               SAML2
</SSO>
#改为(with)
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://dspre.carsi.edu.cn/ds/index.html">
               SAML2
</SSO>

#在<ApplicationDefaults>代码块内增加(/etc/shibboleth/carsifed-metadata-pre.xml为待生成的metadata备份文件)    Add in <ApplicationDefaults> block(/etc/shibboleth/carsifed-metadata-pre.xml is the backup metadata file to be generated)

<MetadataProvider type="XML" url="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml"            
backingFilePath="/etc/shibboleth/carsifed-metadata-pre.xml" legacyOrgNames="true" reloadInterval="600" >
</MetadataProvider>

[root@www ~]# systemctl start shibd  
[root@www ~]# systemctl enable shibd
[root@www ~]# systemctl restart httpd

2.添加SP单位介绍文档(Add your SP Introduction document)

        登陆 CARSI会员自服务系统,在”我的CARSI“-”基本信息“页面根据模板文件添加SP单位的介绍文档。

        Login CARSI Online Helpdesk, on MyCarsi->Basic page, add your SP Introduction document.

3.认证测试(Test on pre-production environment)

        参考文档IdP4:访问CARSI资源门户 (通过浏览器),使用联盟提供的测试IdP及其账号,在预上线环境测试SP服务。可根据SP访问控制的需要,测试需要获得的IdP用户属性。(发送邮件到 carsi@pku.edu.cn 获取测试IdP及其账号)。

        Refer to IdP4:访问CARSI资源门户 (通过浏览器), use the test IdP and test account provided by CARSI to test this SP on CARSI pre-production environment. Please pay attention to the attributes released by the IdP. ( Send a mail to carsi@pku.edu.cn to apply a test IdP and test account).

4.SP服务页面标明是CARSI会员(Add a CARSI entrance on SP service page)

        CARSI联盟建议会员单位在SP服务主页面或用户登录页面,以醒目方式(如放置logo)标明我单位为CARSI 身份联盟会员或提供独立的CARSI登录入口。参见 使用CARSI logo

        CARSI suggests SP add a CARSI entrance (eg. logo) on SP home page or login page, so the end users could easily find this entrance. You can find CARSI logo here: 使用CARSI logo

5.CARSI产品环境试运行(Trail run your SP on CARSI production environment)

        请参照模板(用户访问指南&IdP添加指南模板(User Visit Guide & IdP Appending Guide templates))准备两份文档

        Refer the templates 用户访问指南&IdP添加指南模板(User Visit Guide & IdP Appending Guide templates), prepare User Visit Guide & IdP Appending Guide docs.

        准备好以后,请发送邮件给 carsi@pku.edu.cn,申请在CARSI产品环境上线试运行,并将上述2份文档作为附件提供。我们会根据您提供的文档验证登录流程,确认无误后执行上线试运行操作。请注意如CARSI登录仅在您的测试环境可以试用的话,请一并告知我们您的测试网址。

        Once all the above are ready, send a mail to carsi@pku.edu.cn to apply trail run your SP on CARSI production environment, please attach the above 2 docs. CARSI will check your login process based on the User Visit Guide before we push your SP into CARSI production envirment. Please tell us your testing url if it is different from the production one.

6.切换到生产环境,试运行测试(Switch to CARSI production environment,test on it)

        收到上线成功邮件,意味着该SP metadata已合并到CARSI联盟的线上环境metadata中:https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml。您需将SP的MetadataProvider从同步预上线环境metadata文件 https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml 修改为同步该文件, 将所有引用预上线环境的DS(https://dspre.carsi.edu.cn/ds/index.html)的地方改为引用线上环境DS (https://ds.carsi.edu.cn/ds/index.html)。

        Once your have received online notification email, it means the SP metadata is merged to CARSI online production environment: https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml. Now you need to change your SP MetadataProvider form synchronizing https://www.carsi.edu.cn/carsimetadata/carsifed-metadata-pre.xml (pre-production) to this one, and change any reference to CARSI DS from https://dspre.carsi.edu.cn/ds/index.html (pre-production) to https://ds.carsi.edu.cn/ds/index.html (production).

7.SP试运行期间需完成: (Duting the trail run:)

        试运行期间,SP metadata被添加到产品环境,但服务还没有在CARSI网站SP成员列表公布。SP管理员可在此期间检查是否正式提供服务的准备工作是否完成,如切换资源页面、为学校开放权限、准备产品环境的用户访问流程文档等。

        During the trail run, your SP metadata is added to CARSI production envirment, but it is not listed on the SP product list page yet. Please ensure all the preparations before your SP could officially provide services to CARSI members are ready, eg. your web page for CARSI login, resource management for CARSI members, the docs, etc.

        请开通北京大学线上环境IdP(https://idp.pku.edu.cn/idp/shibboleth)的访问权限,我们需要以北京大学IdP测试通过为准。如果北京大学不是贵司的采购用户,在测试通过后可以取消相关权限。

        Please enable the access for Peking University official IdP (https://idp.pku.edu.cn/idp/shibboleth), we will test based on this IdP. If Peking University is not a customer of your resources, feel free to disable the access after the test finishes.

        请在 CARSI会员自服务系统中添加(我的SP资源)用于在CARSI资源门户、CARSI的SP成员列表等页面展示贵单位资源(产品)的实体,包括用户访问流程、学校服务开通流程2份文档(docx格式,万一有小问题我们可以直接帮助您修改)。

        Please add your resources (including docx format User Visit Guide & IdP Appending Guide) through CARSI Online Helpdesk (My SP Resources), these resources will be used to show your resources(products) on CARSI Resource Portal, CARSI SP product list pages.

        和北大CARSI团队老师一起完成SP上线复测。

        Finish all the testing with PKU CARSI Team.

8.CARSI网站SP成员列表公布,正式提供服务(Officially online, and show on SP product list page)

        确认文档、测试全部无误后,给 carsi@pku.edu.cn发送邮件,申请正式在CARSI网站SP成员列表公布该SP。

        Once everything mentioned above is ready, send a mail to carsi@pku.edu.cn to apply officially online your SP, it will be shown on SP product list page then.

备注(Notice):

        CARSI联盟IdP可支持属性参见https://www.carsi.edu.cn/docs/attribute_profile_zh.pdf。其中eduPersonScopedAffiliation属性取值,相较于默认安装SP增加了一个other@scope取值,SP可使用该取值支持与IdP的特殊约定,根据需要调整/etc/shibboleth/attribute-policy.xml配置文件,接受该取值,比如:

        Please refer to this page https://www.carsi.edu.cn/docs/attribute_profile_zh.pdf to understand CARSI IdP released attributes, be noticed we have added a value other@scope for eduPersonScopedAffiliation, you may need to modify your /etc/shibboleth/attribute-policy.xml config file to support this value:

    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
        <Rule xsi:type="AttributeValueString" value="faculty"/>
        <Rule xsi:type="AttributeValueString" value="student"/>
        <Rule xsi:type="AttributeValueString" value="staff"/>
        <Rule xsi:type="AttributeValueString" value="alum"/>
        <Rule xsi:type="AttributeValueString" value="member"/>
        <Rule xsi:type="AttributeValueString" value="affiliate"/>
        <Rule xsi:type="AttributeValueString" value="employee"/>
        <Rule xsi:type="AttributeValueString" value="other"/>
    </afp:PermitValueRule>