Is there a central Discovery Service for CLARIN?
Yes, there is. It is an own implementation that has been inspired by DiscoJuice (which is no longer supported) and it is hosted on a CLARIN server in a computing centre and populated with IdP information (metadata) about:
Can I test it?
Yes. Go to https://catalog.clarin.eu/secure/shib_test.pl and you will be redirected to DiscoJuice.
Why do you have a central Discovery Service?
There are multiple reasons for this:
- It means less hassle and configuration efforts at the side of the Service Providers.
- We only need to keep one instance updated (security and usability improvements, etc.)
- If a user is redirected to the same Discovery Service, there is no need to select the IdP again from a list. This improves the Single Sign On experience.
Is use of the central Discovery Service compulsory?
No. You still can host your own one. But given the advantages (see the previous question) we strongly recommend it.
I run a Service Provider. How do I connect it to the central Discovery Service?
In order to use the central Discovery Service, your Shibboleth Service Provider's configuration must have the right session initiator configuration. You can change this in the shibboleth2.xml configuration file. The Location attribute specifies the login endpoint you can use to append to your handler URLs (/Shibboleth.sso by default) to start a SAML session. The URL attribute of the session initiator of type SAMLDS should point to the Discovery Service installation you want to use.
Please add to shibboleth2.xml:
- For a discovery service containing all Identity Providers from the CLARIN Service Provider Federation (default):
<!-- Use CLARIN central Discovery Service --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu">SAML2</SSO>
- For a discovery service containing all Identity Providers from the CLARIN Service Provider Federation and eduGAIN:
<!-- Use CLARIN central Discovery Service --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/feed/edugain">SAML2</SSO>
(A restart of shibd and a reload of your web server and is required afterwards.)
For more technical information, including configuration tips for other Service Provider implementations, please consult the relevant Trac page.
Does the use of a central discovery service have disadvantages too?
A drawback of the central Discovery Service is the fact that it introduces a single point of failure. To address this, several measures are in place:
- The service is setup redundantly. If one server is not available or has problems, an automatic failover system ensures another server takes over.
- The the central Discovery Service gets the highest system administration priority.
- It runs at a reliable computing centre (MPCDF), which helps us achieve a high availability.
Is the source code available?
My question isn't answered here!
Please send it to firstname.lastname@example.org