[Surfconext-sp-newsletter] SURFconext News SP-edition including; eduID will replace Onegini as Guest IdP | SURFsecureID key rollover | Which services are connected to SURFconext? | SURFsecureID key rollover | OpenID Connect mirgration

Fri Apr 10 10:57:44 CEST 2020

SURFconext News SP-edition 2020 #2

This newsletter will bring you information about new developments 
regarding SURFconext, plans for the future, tips and tricks and will 
appear on an irregular basis.

*Who receive this newsletter?*
All technical and administrative contacts of a service connected to 
SURFconext will receive this newsletter. Subscribe here 
<https://list.surfnet.nl/mailman/listinfo/surfconext-sp-newsletter> and 
unsubscribe here 
<https://list.surfnet.nl/mailman/options/surfconext-sp-newsletter>.

For an overview of all mailings by the SURFconext team, see the 
following page 
<https://wiki.surfnet.nl/display/surfconextdev/SURFconext+News+SP-edition>.

In this edition:

1.    eduID will replace Onegini as Guest IdP in SURFconext
2.    Make your service available more quickly to institutions
3.    Which services are connected to SURFconext?
4.    SURFsecureID key rollover
5.    OpenID Connect migration

  eduID will replace Onegini as Guest IdP in SURFconext

Not everyone who must login to a service connected to SURFconext has an 
institutional account. For these so-called guest users, SURFconext 
offers a guest Identity Provider (guest IdP). The current guest IdP 
Onegini will be replaced by eduID before 1 July 2020. Read more about 
eduID 
<https://www.surf.nl/en/eduid-to-support-lifelong-learning-research-and-collaboration>.

SURF has set up a process to make it as easy as possible for the user to 
migrate the old Onegini guest account to eduID. During the migration, a 
new eduID account is created for the user with the same identifier as 
the old Onegini account. As a result, the old identity is retained 
within eduID. The guest user also retains his existing authorisations 
within SURFconext (such as SURFconext Teams memberships) and the 
services connected to it.

        Planning

The migration will start within a few weeks (the exact date is not yet 
known). Once the migration has begun, Onegini will send out an email to 
all current Onegini users, requesting to migrate their accounts to 
eduID. Meanwhile, SURF will connect the eduID IdP to all Service 
Providers who are currently connected with Onegini. This ensures that 
migrated users can actually login to the service using eduID. On 1 July 
2020, Onegini will be disconnected from all Service Providers.

        Expected impact

As a Service Provider, no or very few changes are needed to provide 
support for eduID. Just like Onegini, eduID is an Identity Provider in 
SURFconext, and eduID supports exactly the same attributes as Onegini. 
Onegini and SURF will take care of migrating users and once they have 
migrated from Onegini to eduID (see below), they will remain exactly the 
same user, with exactly the same attributes and identifier.

        ACL

If your Service Provider filters users based on the Entity ID of the IdP 
which the user authenticated with in SURFconext, you will need to update 
your ACL. The Entity ID of eduID is: https://login.eduid.nl.

        Customised WAYF page?

Some services have their own WAYF/discovery page that includes Onegini, 
or a login button that refers directly to Onegini. In that case, as a 
Service Provider you will need to change this to eduID.

        Update your manuals

If you have manuals about guest use for SURFconext, replace Onegini with 
eduID. You can also point users towards our own help pages: 
https://eduid.nl/help_en/ (for English) or https://eduid.nl/help/ (for 
Dutch).

        Temporary: Onegini and eduID side by side

Temporarily, guest users who have migrated their old Onegini accounts to 
eduID will be able to login to (certain) services using both Onegini and 
eduID. From a service point of view, there is no difference between 
these users. Later this year Onegini will disappear and eduID will 
remain the only possibility to log in as a guest user.

        Need help?

For more detailed information, SURF has setup a Wiki page: eduID will 
replace Onegini as Guest IdP in SURFconext. As always, if you have any 
questions you can reach out to us at support at surfconext.nl.

  Make your service available more quickly to institutions

When your Service Provider (SP) has been connected to SURFconext, users 
can login as soon as the Identity Provider (IdP) has made the 
connection. Whenever an institution requests a connection to your 
service, we ask the SP if the connection is allowed (sometimes, license 
agreements i.e. need to be in place).

If there are no restrictions for institutions to use your service, 
please let us know! We can now administer this information, and make the 
technical connection more quickly.

Let us know if there are no restrictions for your service via 
support at surfconext.nl

  Which services are connected to SURFconext?

A recent update of the SURFconext IdP Dashboard 
<https://dashboard.surfconext.nl/> enables everyone, without log in, to:
-see all connected Service Providers
-check the Attribute Release Policy of a Service Provider
-view the information (for example: the description of the service)
-check which institutions use a service

Data about your service incorrect? SP's with access to our SURFconext SP 
Dashboard (learn how to get access 
<https://wiki.surfnet.nl/display/surfconextdev/SP+Dashboard>) can change 
most information themselves. Sending an email will do as well. Please 
contact us at support at surfconext.nl

  SURFsecureID key rollover

SURFsecureID migrates to a new signing key because the current one is 
almost 5 years old and expires in July of 2020. This means that all 
Service Providers connected to SURFsecureID must take action, otherwise 
their users cannot login anymore. There are several migration options 
<https://wiki.surfnet.nl/display/SsID/SURFsecureID+key+rollover>, but 
most SPs can change their SAML connections from SURFsecureID to 
SURFconext (and we'll enable SURFsecureID there). Others will need to 
import new SURFsecureID metadata containing the new signing key. We've 
created a webpage listing the migration options SP have and the overall 
planning of the key rollover 
<https://wiki.surfnet.nl/display/SsID/SURFsecureID+key+rollover>. We'll 
update this page with more details in the coming period. Support is 
available for any questions or assistance at support at surfconext.nl.

  OpenID Connect migration

The OpenID Connect implementation of SURFconext has received a complete 
overhaul in 2019. This means that all OpenID Connect connections will be 
migrated to the new OpenID Connect gateway. Every connected Relying 
Party will receive an email with further details in the coming weeks. If 
you want to prepare you can already read the migration documentation 
<https://wiki.surfnet.nl/display/surfconextdev/OpenID+Connect+Migration>. 
We have noticed that many Relying Parties are connected, but do not 
generate any logins. If you have a connected RP that is not used, you 
can help us by having it removed from SURFconext. You can do so by 
sending us an email, or use the SP Dashboard.

------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/surfconext-sp-newsletter/attachments/20200410/f1e16bac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foamecjiegbjlegb.png
Type: image/png
Size: 196654 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/surfconext-sp-newsletter/attachments/20200410/f1e16bac/attachment-0001.png>