Using the CAF Validator Service
*******************************

The Validator service is part of the CAF test federation and is a test Service Provider.
It is separate from CAF's production environment and is a long lived test environment for CANARIE and CAF participants 

To use the CAF Test Federation:

* Email CAF (tickets@canarie.ca) and include your metadata or reference your entityID that you want to make adjustments to .
* Add the CAF test federation metadata aggregate to be trusted by your Service Provider or Identity Provider using the instructions below.
* Sign into the Validator using one of the links on https://validator.caftest.canarie.ca
 

Configuring Trust Settings
==========================
Identity Providers wanting to use the Validator Service need to configure the appropriate trust settings.
Regardless of platform it usually is a two step process:

* adding in the aggregate to the IdP to be used
* enabling the attributes to be released


Shibboleth IdP settings
-----------------------

The aggregate
++++++++++++++++++++++++++++++

add this fragment to /opt/shibboleth-idp/conf/metadata-providers.xml:

.. code:: xml

   <MetadataProvider id="URLMDCAFTestbed" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                         metadataURL="https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed_unsigned.xml"
                         backingFile="/opt/shibboleth-idp/metadata/caf_test_fed_unsigned.xml"
             maxRefreshDelay="PT1H">
         </MetadataProvider>

Attribute release
++++++++++++++++++++++++


edit /etc/shibboleth/attribute-filter.xml and add this xml fragment to permit attributes to be sent to validator:


  .. code:: xml
     
     <!-- ##########################################
	#
	#   Site: validator.caftest.canarie.ca
	#   Purpose: A CANARIE CAF operated service to validate configuration
	#   Considerations: A site to validate attributes released by this IdP.
	#                   The list is long to allow IdP operators to see if their mappings are working
	#
	-->
	<AttributeFilterPolicy id="CAF-validator-caftest-canarie-ca">
	    <PolicyRequirementRule xsi:type="Requester" value="https://validator.caftest.canarie.ca/shibboleth" />

        <AttributeRule attributeID="eduPersonTargetedID">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="email">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="cn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                 <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
                 <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="displayName">
                 <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
                 <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="preferredLanguage">
                 <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
	</AttributeFilterPolicy>


ADFS with ADFSToolkit 
----------------------

In order for ADFS to work properly with CAF sites must use `ADFSToolkit <https://www.canarie.ca/adfstoolkit/>`_ with their ADFS installation on premises.  
Azure integration is being worked on but not available yet.  Once ADFSToolkit is installed please follow the steps below to add the CAF test fed aggregate and test attribute release. 

The aggregate
+++++++++++++++++++++++++
After installing ADFSToolkit, you need to issue the command 'New-ADFSTkConfiguration' with the following settings:

* prefix: CAF-test
* test metadata url: https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed.xml
* fingerprint of key: B9:92:9F:2E:AA:80:6E:2A:CA:75:04:67:10:61:CA:C8:F1:5C:FB:8C:79:66:6D:39:66:13:49:86:42:F6:FF:F6


Attribute release
++++++++++++++++++++++++

To release attributes for validator, add the following to c:/ADFSToolkit/1.0.0.0/config/get-ADFSTkLocalManualSettings.ps1:

.. code:: ruby

   $TransformRules = [Ordered]@{} 
   $TransformRules.givenName = $AllTransformRules.givenName 
   $TransformRules.sn = $AllTransformRules.sn 
   $TransformRules.cn = $AllTransformRules.cn 
   $TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName 
   $TransformRules.mail = $AllTransformRules.mail 
   $TransformRules.eduPersonAffiliation = $AllTransformRules.eduPersonAffiliation 
   $TransformRules.eduPersonScopedAffiliation = $AllTransformRules.eduPersonScopedAffiliation 
   $IssuanceTransformRuleManualSP["https://validator.caftest.canarie.ca/shibboleth"] = $TransformRules

Then the import command of ADFSToolkit needs to be run to update the claims for the validator after you have saved the file above. Use this command to specifically update your entity::

   Import-ADFSTkMetadata -EntityId https://validator.caftest.canarie.ca/shibboleth -ForceUpdate -ConfigFile 'C:\ADFSToolkit\1.0.0.0\config\yourconfig.xml'