Versions Compared

Old Version 16

changes.mady.by.user Parker Neff

Saved on

compared with

New Version 17

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Preparation

  1. Get the following information from the college/district that is responsible for configuring the college IDP and include in the CIP JIRA ticket for the district/college (found here)
    1. Entity ID of IDP
    2. Scope(Suffix) the IDP will assert on the EPPN attribute.
    3. MIS Codes served by the district or college level IDP.
  2. Get metadata for school's IdP, if is not already in InCommon.  If it is in InCommon metadata, skip step #3 and proceed with step #4.

Metadata Changes

  1. Add the school's metadata to metadata/ccc-metadata-unsigned.xml in the cccnext/saml-ccc Bitbucket repo to the Section marked "College IdP Metadata

  2. Update authsources.php config file in simplesamlphp

  3. Add ".

  4. In that same file, add a AssertionConsumerService, e.g. 

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/saml2-acs.php/PilotMock" index="0"/>

    to the the following SP descriptors, Pilot IdP Proxy "SP side" SP descriptor. Be sure to change the "570" numeric in the example above to match the misCode of the new school or district. Each new entry should increment the index value

    Add a new authsource entry to resources/authsources

    .

    json with the approriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s).  See example below

  5. Validate the metadata additions using ./validateMetadata.sh. If the validation passes, commit and push the change. Build automation will sign the file and push to the correct S3 locationCommit the updated metadata file to Bitbucket.  It will be signed, pushed out to S3 and, after saml.cccmypath.org S3 bucket and, within one hour, downloaded to the Proxy IdP deployments.Update

Authsources Changes

  1. Add an entry for the new college/district in two places in the authsources.php config file in the external-config/pilot/opt/ccc-<env>/config in the cccnext/idp-proxy Bitbucket repo, git add, and commit.
  2. aws s3 cp authsources.php s3://ccc-pilot-proxy-simplesaml-config/opt/ccc/config to include the new school.  This will again trigger an automated update to the appropriate environment's SSO proxy./
  3. Add a new authsource entry to resources/authsources.json with the appropriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s) in the cccnext/saml-ccc Bitbucket repo.  See example below.
  4. aws s3 cp authsources.json s3://ccc-prod-???

Production Onboarding

  1. Once testing in Pilot has been verified, Step #6 Metadata Change #2 (only) will need to be made for the Production environment.  For this, add the same AssertionConsumerService line as done for pilot in the Prod IdP Proxy "SP side SP descriptor.

Upon completion of the steps above, after propagation of the updates (approximately one hour), testing of the new school with the IdP proxy can commence.

...