Versions Compared

Old Version 14

changes.mady.by.user Parker Neff

Saved on

compared with

New Version Current

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Preparation

  1. Get the

    following information from the college/district that is responsible for configuring the

    metadata for the district/college IDP and include in the CIP JIRA ticket for the district/college (found here)

  2. Entity ID of IDP
  3. Scope(Suffix) the IDP will assert on the EPPN attribute.
  4. MIS Codes served by the district or college level IDP.
  5. Get metadata for school's IdP, if is not already in InCommon.  If it is in InCommon metadata, skip step #3 and proceed with step #4.

  6. If the district/college metadata is in InCommon go to InCommon section below.

Metadata Changes

  1. Add the school's metadata to metadata/ccc-metadata-nextgen-unsigned.xml in the cccnext/saml-ccc Bitbucket repo to the Section marked "College IdP MetadataAdd ". It should be formatted such that long lines are wrapped.

  2. In that same file, add a AssertionConsumerService, e.g. 

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.cipilot.cccmypath.org/simplesaml/module.php/saml/sp/saml2-acs.php/PilotMockMIS570" index="0"/>

    to the the following SP descriptors, Pilot and Prod IdP Proxy "SP side" SP descriptor entries. Be sure to change the "570" numeric in the example above to match the misCode of the new school or district. Each new entry should increment the index value

    Add a new authsource entry to resources/authsources

    .

    json with the approriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s).  See example below

  3. Validate the metadata additions using ./validateMetadata.sh nextgen. If the validation passes, add, commit and push the change. Build automation will sign

    the file

    and push

    to the correct S3 locationCommit

    the updated metadata

    file to Bitbucket.  It will be signed, pushed out to S3 and, after

    saml.cccmypath.org S3 bucket and, within one hour, downloaded to the Proxy IdP deployments.

  4. Update authsources.php in the ccc-<env>-proxy-simplesaml-config/opt/ccc/config to include the new school.  This will again trigger an automated update to the appropriate environment's SSO proxy.
  5. Once testing in Pilot has been verified, Step #6 will need to be made for the Production environment.

Upon completion of the steps above, after propagation of the updates (approximately one hour), testing of the new school with the IdP proxy can commence.

authsources.json example

Code Block
[
  {
    "authSource": "idp.collegea.edu",
    "eppnSuffix": "idp.collegea.edu",
    "description": "College A IDP",
    "idpEntityId": "https://idp.collegea.edu/idp/shibboleth",
    "misCodes": [
      "311",
      "312",
      "313"
    ]
  },
  {
    "authSource": "CIMock",
    "eppnSuffix": "democollege.edu",
    "description": "Uni College IDP",
    "idpEntityId": "https://ci-idp.ccctcportal.org:8443/idp/shibboleth",
    "misCodes": [
      "ZZ1"
    ]
  }
]

...

Authsources Changes

  1. Add a new authsource entry to resources/authsources_<env>.json, where <env> is pilot and prod with the appropriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s) in the cccnext/saml-ccc Bitbucket repo. For these changes to be reflected in Pilot/Prod, the Ops Jenkins “Authsources Metadata Deployment - Prod” job needs to be run.

InCommon Updates

  1. Go to https://service1.internet2.edu/siteadmin/login, click on Federation Manager sign in in the left nav and log in using Franz's InCommon creds in LastPass.

  2. Once authenticated, change the url to https://service1.internet2.edu/siteadmin/organizations/10513

  3. Click on https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php service provider.

  4. In the left hand nav, click on “SP SSO Settings”, scroll to the bottom and add the new AssertionConsumerService line that was added to the Proxy SP metadata.

  5. Repeat that process for https://sso.cccympath.org/simplesaml/module.php/saml/sp/metadata.php service provider.

Upon completion of the steps above, after propagation of the updates (approximately one hour), testing of the new school with the IdP proxy can commence.  Note, some colleges/districts will have different metadata for their prod IdP versus their pilot IdP.  If so, we'll need to add their prod IdP metadata just like we did their pilot metadata in section 2.1.