Using the CAF Validator Service

The Validator service is part of the CAF test federation and is a test Service Provider. It is separate from CAF’s production environment and is a long lived test environment for CANARIE and CAF participants

To use the CAF Test Federation:

• Email CAF (tickets@canarie.ca) and include your metadata or reference your entityID that you want to make adjustments to .
• Add the CAF test federation metadata aggregate to be trusted by your Service Provider or Identity Provider using the instructions below.
• Sign into the Validator using one of the links on https://validator.caftest.canarie.ca

Configuring Trust Settings

Identity Providers wanting to use the Validator Service need to configure the appropriate trust settings. Regardless of platform it usually is a two step process:

• adding in the aggregate to the IdP to be used
• enabling the attributes to be released

Shibboleth IdP settings

The aggregate

add this fragment to /opt/shibboleth-idp/conf/metadata-providers.xml:

<MetadataProvider id="URLMDCAFTestbed" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                      metadataURL="https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed_unsigned.xml"
                      backingFile="/opt/shibboleth-idp/metadata/caf_test_fed_unsigned.xml"
          maxRefreshDelay="PT1H">
      </MetadataProvider>

Attribute release

edit /etc/shibboleth/attribute-filter.xml and add this xml fragment to permit attributes to be sent to validator:

<!-- ##########################################
   #
   #   Site: validator.caftest.canarie.ca
   #   Purpose: A CANARIE CAF operated service to validate configuration
   #   Considerations: A site to validate attributes released by this IdP.
   #                   The list is long to allow IdP operators to see if their mappings are working
   #
   -->
   <AttributeFilterPolicy id="CAF-validator-caftest-canarie-ca">
       <PolicyRequirementRule xsi:type="Requester" value="https://validator.caftest.canarie.ca/shibboleth" />

   <AttributeRule attributeID="eduPersonTargetedID">
       <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="eduPersonPrincipalName">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="email">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="cn">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="surname">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="mail">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="givenName">
           <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="eduPersonAffiliation">
            <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   <AttributeRule attributeID="preferredLanguage">
            <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
   </AttributeFilterPolicy>

ADFS with ADFSToolkit

In order for ADFS to work properly with CAF sites must use ADFSToolkit with their ADFS installation on premises. Azure integration is being worked on but not available yet. Once ADFSToolkit is installed please follow the steps below to add the CAF test fed aggregate and test attribute release.

The aggregate

After installing ADFSToolkit, you need to issue the command ‘New-ADFSTkConfiguration’ with the following settings:

• prefix: CAF-test
• test metadata url: https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed.xml
• fingerprint of key: B9:92:9F:2E:AA:80:6E:2A:CA:75:04:67:10:61:CA:C8:F1:5C:FB:8C:79:66:6D:39:66:13:49:86:42:F6:FF:F6

Attribute release

To release attributes for validator, add the following to c:/ADFSToolkit/1.0.0.0/config/get-ADFSTkLocalManualSettings.ps1:

$TransformRules = [Ordered]@{}
$TransformRules.givenName = $AllTransformRules.givenName
$TransformRules.sn = $AllTransformRules.sn
$TransformRules.cn = $AllTransformRules.cn
$TransformRules.eduPersonPrincipalName = $AllTransformRules.eduPersonPrincipalName
$TransformRules.mail = $AllTransformRules.mail
$TransformRules.eduPersonAffiliation = $AllTransformRules.eduPersonAffiliation
$TransformRules.eduPersonScopedAffiliation = $AllTransformRules.eduPersonScopedAffiliation
$IssuanceTransformRuleManualSP["https://validator.caftest.canarie.ca/shibboleth"] = $TransformRules

Then the import command of ADFSToolkit needs to be run to update the claims for the validator after you have saved the file above. Use this command to specifically update your entity:

Import-ADFSTkMetadata -EntityId https://validator.caftest.canarie.ca/shibboleth -ForceUpdate -ConfigFile 'C:\ADFSToolkit\1.0.0.0\config\yourconfig.xml'