Versions Compared

Old Version 1

changes.mady.by.user Rasmus Larsson

Saved on

compared with

New Version Current

changes.mady.by.user Rasmus Larsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Fedkom production environment is accessible only to members of Fedkom and opted-in members from Sambi and FedkomSkolfederation. All member metadata published in the Fedkom aggregated metadata feed is by confirmed member organizations, that must comply with the trust framework and technical requirements.

...

Uploading metadata to Fedkom 

...

Metadata opt-in from Skolfederation or Sambi

If your member organization is a Swedish municipality and a member in of either Skolfederation or Sambi, you have to the option to include existing or new entities in Fedkom. This is done by:

  1. Applying the opt-in

...

  1. Entity Attribute as defined in the Fedkom policy
  2. Uploading the entity metadata to Skolfederation or Sambi via Federationsadmin

Example:

Code Block
<md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
    entityID="https://openfed.swefed.se/placeholder/internetstiftelsen/sp-prod">
    <md:Extensions>
    	<mdattr:EntityAttributes>
    		<saml:Attribute Name="https://id.openfed.se/entityattributes/opt-in" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    			<saml:AttributeValue>https://id.openfed.se/entityattributes/opt-in/yes</saml:AttributeValue>
            </saml:Attribute>
        </mdattr:EntityAttributes>
	</md:Extensions>
...
...
</md:EntityDescriptor>

Once the opt-in Entity Attribute is correctly applied and the metadata has been published, the entity will be included in Fedkom in accordance with the federation policy.

Info
titleMetadata Publication Delay

After publishing your entity with the opt-in Entity Attribute, it may take up to approximately one hour before the entity is published in the Fedkom feeds.

This delay is due to differences in metadata aggregation and publishing cycles between the federations and Fedkom

If your member organization is not a Swedish municipality you cannot opt-in to Fedkom, but the opt-in gives you access to the Klassa access solution if you have avtal med Klassa, given the Klassa prerequisites are fulfilled.

Uploading metadata directly to Fedkom

...

.

Sending metadata manually to federation operator

An alternative to managing the metadata in Federationsadmin is to use the form linked below to send If your member organization is not a member of Skolfederation or Sambi, you can upload metadata by sending the metadata to the federation operator for validation and verification. If there are errors, the federation operator will request corrections. If everything is ready for upload, the federation operator will contact the Technical Contact to validate metadata checksum (SHA1) before publication to federation.

Link to metadata form

Technical information

Metadata

...

Fedkom produces three metadata feeds available for consumption:

Metadata feedURL
All entities (IdP and SP)https://md.openfed.se/prod/md/metadata_set1_01.xml
All SP's onlyhttps://md.openfed.se/prod/md/metadata_set1_sp_01.xml
All IdP's onlyhttps://

...

md.

...

openfed.se/prod/md/

...

metadata_set1_idp_01.xml

...

Public key for verifying signature of federation all Fedkom metadata feeds is found below.

Certificate file: https://Fedkom.se/app/uploads/2016/05/Fedkom-3_1 openfed-saml-signer-prod-1_0.crt

Code Block
titleskolfederation-3_1openfed-saml-signer-prod-1_0.crt
-----BEGIN CERTIFICATE-----
MIIF3zCCA8egAwIBAgIUFWgREqIHK0DwvAEUVaXW0Z6cNr0wDQYJKoZIhvcNAQEL
MIIFnTCCA4WgAwIBAgIJAP5FnC1GKefSMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBQAwfjEhMB8GA1UEAwwYb3BlbmZlZC1zYW1sLXNpZ25lci1wcm9kMSgwJgYDVQQK
DB9UaGUgU3dlZGlzaCBJbnRlcm5ldCBGb3VuZGF0aW9uMRswGQYDVQQLDBJGZWRl
BAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEtcmF0ZWQgU2VydmljZXMxEjAQBgNVBAcMCVN0b2NraG9sbTAgFw0yNjAyMTgxMDA0
MCsGA1UECgwkU3RpZnRlbHNlbiBmb3IgSW50ZXJuZXRpbmZyYXN0cnVrdHVyMCAXMjhaGA8yMTI2MDEyNTEwMDQyOFowfjEhMB8GA1UEAwwYb3BlbmZlZC1zYW1sLXNp
DTE2MDUyMzEzNTUyMFoYDzIxMTYwNTIzMTM1NTIwWjBkMQswCQYDVQQGEwJTRTESZ25lci1wcm9kMSgwJgYDVQQKDB9UaGUgU3dlZGlzaCBJbnRlcm5ldCBGb3VuZGF0
MBAGA1UECAwJU3RvY2tob2xtMRIwEAYDVQQHDAlTdG9ja2hvbG0xLTArBgNVBAoMaW9uMRswGQYDVQQLDBJGZWRlcmF0ZWQgU2VydmljZXMxEjAQBgNVBAcMCVN0b2Nr
JFN0aWZ0ZWxzZW4gZm9yIEludGVybmV0aW5mcmFzdHJ1a3R1cjCCAiIwDQYJKoZIaG9sbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKesRxDCvDsdDYvj
hvcNAQEBBQADggIPADCCAgoCggIBAKydAR9OBT4OEXe8nf2y0YiuK5ay/phWT3DY3DTsIQDpnpWewIuRaSGhkVm5Q+/DVjDquQAI/BDGvZyECbHR60wiB7
KVXH5xEcfprgUZBlic0aL1fhKG8cLB/KpybZ1HbJyJ4fX0uYP4U989fYiMDECn4q
WvcnCuAZXOromnR14keLyVNBIgi8oiDuRG7em2+fqJiDRGkG5CB7SaV4N457Pdrl
QrxpsBWItWIbe9FatoT/3q3qU/FEAA5+XD9ax8Ycq6qhTqanzy/YDyYi1btqyBCd
7Mu7I2wCZ1Q9wlz1kjtUbh2KHM8ui845qrqUCNxYpsj7D5zBZaZ+9CMiKrO+mmWJ
DeIQ9m2lEPHG/kKumbewKRkZU5Z//fLytcOL+kNQiwC1Qe67gstPWnE0ZgpAIsYd
gLVr2MHnBJuEAcMOGs+oX8y9sxRwcMoMJ9gF4xd12dIGlhffQo94aV4mvTjwJbQ4
/R7NGE2yf3FtsqwQlVHzMojqp6SFOFHGOrYpQlrxhADyC8U97ukjCjkR7FLjzYqz
YhqO8FnQI16uwJg/YNVol/gkLvRg/TVbMpbFW/C+uCk9l2N8hsQljUpmxZFN+JyX
g6vF4pQ1ablqi2Mj5XhQO458XJdqeLvDCgXfuqiZ3x6GU/TISRWKAwG1EPdd+RBo
h2kVCQATuaTqOj76QVagBZR2IFNxItcer1ugATE/NUK098RiOkjrkz2h2OC+tpj2
BNC1jcTnAgMBAAGjUDBOMB0GA1UdDgQWBBQ6DlMFBYLMNF1egakVOw3yL3BflTAf
BgNVHSMEGDAWgBQ6DlMFBYLMNF1egakVOw3yL3BflTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQB5KmzUoEhwrZmTTrYJid155cnfyF9KjVoLG5jayzQo
4AhOEDt7ahQkSG4cqmDJSInXaX07uoukopgm2IsanWw70SU7/jPPs2Y4960VuG6w
0a5paeEDNJ10l6NfvROXxUd3VONQbxHbcq7ny3G8y692g2gihrDZv0Vgf0ea+gkT
3ZSZzPewFHg6OFjTVKdTPzBIAWf//5GM5SFMn6WYOm3wwDu6cDoIYnkDOaeuCsDT
nvCmczpIit7W0Wb+EajE+Or40g2YlHUWmOqrJovtN9Gc7ZZ8VV0WDnV8xI+FESFL
yErUik0j1sXVh1/dpx8XYQaVUPd4R5ZVxtVrS3gXxa0Xnkng9mspCJ0fXqL9PYmO
QZPSCmAUk5I4y3xJCTJGqeyfU+/1bp9CRpFOARYLsKxEgVEQhI/YxwhncN/snhM1
IwCXorpgeCHemZtSB62MnKiw3faAKhcYNmiZt8FvTScySd2j7T/53FFuXCT5osz4
GKdvBDzFp5m6xVXBLMTYwmNBeYTGbCYIHxWu1qjDXF4o6zUXG0j7IoXh9w7OLomJ
oUrX/mw3I8KEhpbfdvfk3Y0H1kBvzsO6HzOuBLVqsRTQIcUuXCJ5ZqCq5/JHJgPr
gsHQ3BsZmwOftzjR0SaehDbxdeUozPgFSTEDTaO5XZtnaXQE1Scb7KbaeBjaECh1
vgIwlHiUBt
m9pP1aAIt3fCM3Fz3z2HmPquz/SmKRF1Mov8jPpl69ZK/DmtZKIkCw42mCdH//oq
gjqcR2rDz4nj35kmCVUaKpyAvU6lmQxlgE6ODIKSGjcRMCJKKNNnGlwoA1pJKCfC
4ZJ+WXD5/9btUmPMo0k70GRbva5/KDP7JBxi7t41XrM9UXhfnBSnmrB0ulagwwDM
oF28XIeu37/4ZuW8hYJzOGIOME5dmM2QJOTwaoMjrK3z84Bc4TEB+Tq5+j2dsVx8
gu4oq8y7LDkEnQoOqX1/gfobAC14Q5ydvV33CLRPve+ZrO60ZkA5wIJG7qkUHzET
N0BFYbaJCyY4vVWMyAGdOcpG2gBGVnEy0akURzccv1+z9bwuj9S3mjsPEp4FVOsq
7ikw/I+fGydCKdxXzXsl0lu9G5l4DYrSXhMqqzyH+M6oQjRjzcHLkRhLOwDriGYa
LftcKMbQ/3cxx4xAWTBb1TSTy2jF6zuVO5L+sFM6FOfQ5rRpXcUMeWh6w58ZJgpW
ldKCRm+YWaAmn/i3vZwpkCQZSl0sEz7BoChq1YjFVO8fJx0w928dxuagOX4lM9AQ
M8vWqXd6se8uNBC9TGZmVrYAtebzAgMBAAGjUzBRMB0GA1UdDgQWBBTbMbFzwZ6S
u1ZjkcY/YaJbEE0b6TAfBgNVHSMEGDAWgBTbMbFzwZ6Su1ZjkcY/YaJbEE0b6TAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBesnIFX0im9T5TXBgp
guoNqWVd7Zu/55M9HPVfLcjK37C8Epmplj3q6RmvGNY+11jyPBTUnujzeOpIMKf2
yJDg0wDMqZdOMZYCVeZGI+4p+DPWt6iUBS6xnXg6voU4HxDVCWEynE/jx0QS4oY0
2E1ixh5/m5I84T21GlAncxkuUwoCdFl9Uqv7JVOArM56lzwjSDFq0tYD6VOqegGr
MXXtoP+IkVGCVx/BudtNWyngMCk6NiU1WS3hSwJsCnaZCMQh1kOY7K62C61T7T5F
atnUXGAvhpplXiB8RnaMWNhsDRywpRhARJt8gpHge7ETrmzr1knh04ewxdMCfvy4
ukqXrXroXgIOYldZ8Wp6Pv4Wry3zKNnYgoOAMNxlDK8Xt4AXdjoMPLBrevjfjPRS
jzFiVmH+kXMhPVe1X4uEdR9aGqjXI89VJxsRjqCjA0yqWYUUJi49ZItZP1FfIOqP
rPxduE1MxlTGtM+d7dYVPzGAzKTSK/YP6AeuVkhB2YJlSx7msF7xowktH9m+7Bpk
xDBqvt2cWfX0B8VQOfjP9pf4iq1vCKbPS976bZmuJQ2MB7yk8dW+6Q9w5gVoaE7r
gMUWbMXQoOjO6TQE5UaZ+JLN3s71flWiruDuey72FnvsKCrIwygIevS3p3WDNKEm
vwRHX3FjNwXhLYnC0o0yTds2YQ==
-----END CERTIFICATE-----

...

Code Block
SHA-256 fingerprint:  
B2EE:59A2:33A9:6BC3:5505:06:72:6DBD:8EB5:194E:4F81:2B1E:9397:927A:3011:7CB4:4CA6:2CDC:4D08:6E7B:29C5:7D15:A6D5:AEB8:096F:EF0D:BE0C:7B88:4B37:61F1:4ABA:C7B6


Info
titleVerify metadata with certificate

We recommend verifying the fingerprint of the signing certificate with the federation operator before adding the certificate to your IdP/SP trust. After trusting the certificate, always verify federation metadata signature with signing certificate to guarantee metadata integrity.

...

A centralized SAML 2.0 Discovery Service for Fedkom is found below.

https://fedmd.Fedkomopenfed.se/prod/ds/

The DS is populated with all IdP's from the Fedkom metadata. The names shown in the DS are based on the OrganizationDisplayName attribute from the IdP metadata.

Info
titleUse other ways of discovery

Note that the federation operator does not recommend the usage of the centralized DS for discovery of IdP's in production environments, due to limitations in user experience. If required, service providers are recommended to implement a method of discovery better suited to their service.

Info
titleTest services in production?

Currently, there are no test services available in production. For testing your IdP or SP solution, please feel free to use the test services in the test environment Fedkom Trial.

Generic errorURL handler

A generic errorURL handler is provided in the federation. More information: Generic errorURL handler.