UK federation operational information

Federation metadata

Publishing Schedule

The UK federation normally makes updates to its published metadata aggregates once per working day (Monday to Friday). Please note the office is closed over the Christmas and New Year break.

The signing and publishing process includes manual checks and multiple scheduled processes, so we cannot guarantee a particular time at which metadata is published.

Once published, metadata takes some time to propagate around the UK federation. We cannot give an accurate estimate for how long this takes as the metadata is pulled from our servers by the individual entities. We say in the UK federation Technical Recommendations for Participants that a daily refresh operation should be regarded as normal (section 4.2), and we recommend that SPs check for updated metadata every 4 hours.

We usually publish updated metadata towards the end of the working day, that is to say late afternoon UK time. This means that the day's metadata updates will normally have propagated throughout the federation in time for the start of the next working day.

Downloading

Download the signed metadata file for the UK federation here:

You can download the certificate used to sign the metadata file from ukfederation.pem. The certificate is required for your identity provider or service provider configuration. For the Shibboleth IdP this is described in the "Credentials" section of the federation Shibboleth IdP configuration documentation. For the Shibboleth SP this is described in the "MetadataProvider" section of the federation Shibboleth SP configuration documentation.

However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked the certificate's fingerprint with a member of the UK Federation Operations team. You can use this openssl command to find out the SHA-1 fingerprint of the certificate that you have downloaded:

 openssl x509 -sha1 -fingerprint -noout -in ukfederation.pem

You should compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the federation helpdesk contact information page.

Testing new IdP deployments

You can test your IdP configuration using this UK federation test service provider:

The index page contains a number of links, which invoke different versions of the Discovery Service. The links marked as "full" have a list of all federation IdPs, including those that have been registered as hidden or invisible. If you click one of these links and select your IdP from the WAYF or DS page and successfully authenticate, you should see a list of environment variables, some of which contain the values of attributes released by the IdP; this allows you to test attribute generation and release as well as simple authentication.

WAYF links use the federation WAYF and will invoke a SAML1 session, which produces two displayed assertions – one for the authentication, one for the attributes. DS links use the federation Discovery Service and may invoke a SAML2 session, which produces a single displayed assertion.

If you are testing a Shibboleth IdP, and you have trouble authenticating or releasing attributes, then ensure your log levels are turned up to DEBUG (for details, see the 'logging.xml' section of the federation Shibboleth IdP configuration page) before re-testing, and check the logs; the idp-process.log is generally the most informative. If nothing is being written to the Shibboleth logs then check the Tomcat logs; it is advisable to keep checking the Tomcat logs anyway during the earlier stages of the installation.

You should not attempt to gain access to any live service until you have verified, by the use of the test page noted above, that your IdP is properly configured and releasing attributes correctly.

Testing new SP deployments

The UK federation does not operate a test IdP at present. However, if you have not deployed an IdP of your own for testing, you can create a test account at ProtectNetwork, an open-access IdP within the federation. Information on using ProtectNetwork to test your SP can be found here.

Attributes used in the UK federation

See Attribute usage for details.

History

The SDSS development federation was the forerunner of the UK federation.