You can now use your SAFIRE credentials !
After much head scratching by @MarcoFargetta_0c9b we've managed to add this forum as a service provider of the South African Federated Identity for Research and Eduation (SAFIRE).
A lot of work had to be done to get to this point, so HT to @SakhiHadebe_1c36 and colleagues at SANREN, as well as @MarcoFargetta_0c9b who put in a solid week of debugging
Getting SAFIRE on board.
This forum has recently been added to edugain after passing through the testing phase of the Italian federation IDEM. It is also inclded as a service provider in the national federations of Norway and Sweden, as well as the catch-all federation GrIDP - basically anyone from Europe can log in and use the service, and many people from African countries who have IDPs in GrIDP can too.
However, South Africa has a nascent identity federation and we really wanted to include this as a true service in that federation instead of just allowing individual IdPs of SAFIRE to authenticate users to it. This is where things started to get complicated...
@SakhiHadebe_1c36 first had to generate federation metadata for SAFIRE. The discovery service listed individual service provider metadata and individual identity provider metadata, but not the federation metadata necessary to include it in the saml federation service selection of the forum login phase. Once that was done, we could select SAFIRE as a federation.
Once @SakhiHadebe_1c36 had lovingly hand-crafted the federation metadata, we thought we'd slain the beast - but nothing was further from the truth ! We'd only exposed the fact that the CSIR Identity Provider does not scope the identity's attributes, which resulted in a lot of 403 - thou shalt not pass
This confused us for quite a while, since we couldn't understand why the filter on the SP wasn't passing through the right attributes, particularly the
eppn. Upon very close inspection and with utmost dedication , @MarcoFargetta_0c9b found out why - the attribute wasn't scoped properly. I'll let him describe that in further detail.
It's all good !
Now, since I'm from the CSIR, I select the CSIR identity provider, authenticate myself to my home institute and voilà I'm logged in !
Well, kinda - since I've already created an account previously and associated it with a different email address, the DiscourseSSO microservice which was developed to handle the SAML parsing has created a new user. This should be irrelevant to all new users though, and since we've only enabled federated authentication, this won't affect anyone else.
So come on in and join the discourse