You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

How to Implement Group Representative Information Exchange

This guide outlines the steps to implement the Group Representative Information Exchange specification using the general JWS JSON Serialization format. This specification defines a standardized mechanism for extracting a URL from the SAML extension GroupRepresentative element within SAML metadata, enhancing the interoperability of entities within a federation. Here's how to implement it:


Prerequisites

Before you begin, ensure that you have the following prerequisites in place:

  • Knowledge of Security Assertion Markup Language (SAML) and its concepts.
  • Access to SAML metadata for entities involved in your federation.
  • Familiarity with JSON Web Signature (JWS), JWS general JSON Serialization, and JSON Schema.

Implementation Steps

Create SAML Metadata

Ensure that your SAML metadata includes the GroupRepresentative element. This element should contain a URL pointing to a JSON Web Signature (JWS) conforming to the specification, and it should also include the certificate (x5c) used for signature validation.

Example GroupRepresentative element in SAML metadata:

SAML metadata
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp1.example.com">
  <IDPSSODescriptor>
    <Extensions>
      <grie:GroupRepresentativexmlns:grie="http://saml-schema.swefed.se/schema/grie" location="https://www.example.com/mdie.jws">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>(Your certificate content here)</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </grie:GroupRepresentative>
    </Extensions>
  </IDPSSODescriptor>
</EntityDescriptor>

Create the JSON Web Signature (JWS)

Generate the JSON Web Signature (JWS) according to the specified format and content. Ensure that it includes the necessary claims, such as iss, exp, iat, version, cache_ttl, and entities, as defined in the specification.

Here's an example JWS structure in JSON:

{
  "iss": "https://my-domain.example.com",
  "exp": 1693056343,
  "iat": 1692192343,
  "version": "1.0.0",
  "cache_ttl": 3600,
  "entities": [
    {
      "entity_id": "https://idp1.example.com",
      "constituents": [
        {
          "organization_id": "1122334455",
          "organization_name": "Example Org One"
        },
        {
          "organization_id": "6677889900",
          "organization_name": "Example Org Two"
        }
      ]
    }
  ]
}



  • No labels