Joining SDSS as an Origin Site
To apply to join the SDSS federation as an origin site, e-mail edina@ed.ac.uk (the EDINA helpdesk) and ask for your message to be forwarded to the SDSS team. In the e-mail, please include the following, which includes all the information we will need to put in your <OriginSite> entry in the federation metadata (see http://sdss.ac.uk/fed/sdss-sites-12.xml for examples):
- Provider type: State that you are applying to be an origin.
- Policy: A brief statement agreeing to operate in accordance with the SDSSFederationPolicy.
- Alias: A short name to identify your site (which may just be your project acronym).
- Technical contact: A technical contact name and Email address. These can identify either an individual person or a group mailing list within your organisation. Notification of future developments in the federation, particularly changes that may require you to reconfigure your software to maintain connectivity with other members, will be sent to this Email address, which should therefore be monitored regularly.
- Admin contact: An optional administrative contact name and Email address (if different from the technical one). At present, both contacts receive the same notifications.
- Entity ID: This must be a URI identifying your identity provider. If your identity provider is already a member of any other federation then please give its existing entity ID, even if it appears to be federation-specific. If your identity provider is not already a member of another federation, please consult EntityIDPolicy for details on the process of constructing a new entity ID.
- HS Location: The URL of your Shibboleth handle server, e.g., https://shibbox.uni.ac.uk/shibboleth/HS. Note that port numbers other than the default (80 for http, 443 for https), while allowed, may cause problems for end users behind outgoing firewalls.
- HS Name: The Common Name from the handle server's certificate. In most cases, this will be the fully qualified domain name of the handle server, e.g., shibbox.uni.ac.uk.
- AA Location: The URL of your Shibboleth attribute authority server, e.g., https://shibbox.uni.ac.uk/shibboleth/AA. The same port number considerations apply as for the handle server.
- AA Name: The Common Name from the attribute authority's certificate. Again, this will usually be the fully qualified domain name of the attribute authority server, e.g., shibbox.uni.ac.uk. Note that if the Common Names are the same, it is possible to use the same certificate for the handle server and the attribute authority.
- Domain: The domains (scopes) for which attribute assertions made by this identity provider should be considered valid. Normally there will be only one of these and it will be the same project, machine or institution domain used in the provider URN, though this is not required.
- OrganizationURL: The URL of a web page providing a description of the organization applying to join the federation.
We will let you know by e-mail once the federation metadata has been updated to include the information you supplied. You will then need to download the new metadata and modify your Shibboleth configuration to match it, as described at SetupIdentityProvider.
Institutional Domains
If you are applying to become the identity provider for any organisation with a scope or lifetime greater than a short-term project group, you must additionally send us a hard-copy letter on the organisation's letterhead, agreeing to abide by the SDSSFederationPolicy. The letter should either refer to or follow the wording of that policy web page and be signed by a senior person who is authorised to make legally binding commitments on behalf of the organisation. This applies, for example, to whole institutions (ed.ac.uk, ox.ac.uk), departments (dcs.ed.ac.uk, oucs.ox.ac.uk) and quasi-independent entities whose members are not necessarily members of their hosting institution (edina.ac.uk).
This requirement gives service providers a level of assurance that identity providers will only provide credentials to members of their own organisation that is at least as strong as existing identity mechanisms (Athens, IP address checking). It therefore allows SDSS service providers to use a Shibboleth attribute such as member@ed.ac.uk to grant access to existing JISC information environment resources licensed to "all members of Edinburgh University", without requiring contract renegotiation with the content provider.
Please send the letter to:
Alternatively, you may fax the letter, marked for the attention of the SDSS team, to: