Rules of the Test Federation

Outline of the Test Federation

We provide the Test Federation in order to serve the following purposes:

To carry out connection tests to verify the operation and behavior of the deployed Shibboleth environment in preparation to join the Production Federation;
To carry out connection tests of the system used to develop an entity (IdP or SP); and
To carry out utilization/performance tests related to the usage and operation of the services provided by SPs.

Test Federation is available for any organizations that apply to Article 4 of
Operating Policies for GakuNin Participants, or intend to use it for the above purposes (including personal application).

In the Test Federation, please conduct connection tests of IdPs and SPs according to the following rules.

GakuNin Production Federation draws up administration standards in a separate document called “System Administration Standards for the GakuNin” (“System Administration Standards”).
Based on the “System Administration Standards”, the Rules of the Test Federation amends and mitigates standards in order to serve the Test Federation. Please read the following rules as well as the “System Administration Standards” of the Production Federation, and be aware of the differences.

GakuNin Academic Access Management Federation, Rules of the Test Federation (Ver 1.1)

1. The System of the Test Federation

The Test Federation utilizes each system listed below as a test environment,
independent from the production environment of the GakuNin Production Federation.

1.1) Metadata (the Test Federation Metadata)

Name=“GakuNin-test”
Public URL: https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml

1.2) Certificate for Federation Metadata Signature

   In the Test Federation, the following Signature Certificate is used:
   Public URL: https://metadata.gakunin.nii.ac.jp/gakunin-test-signer-2020.cer
   SHA256 Fingerprint=FA:11:11:5B:EC:13:4D:55:85:AF:60:32:E1:6C:01:01:EF:9C:A0:6B:17:8C:8B:9C:7F:
   2B:69:41:EB:68:30:1E

1.3) DS (Discover Service which is provided within the Test Federation)

https://test-ds.gakunin.nii.ac.jp/WAYF

1.4) Attribute Viewer Service

   The Test Federation provides the following attribute viewer service.This is a
   service that displays attribute values sent from the testing IdP.
   Furthermore, the attribute information (including personal information such as
   names and email addresses) which are exchanged between test SPs and IdPs
   will be recorded in an access log and published on the Web for debugging
   purposes. Therefore, please make sure to use dummy data for connection tests.

test-sp1:
Access URL = “https://test-sp1.gakunin.nii.ac.jp”
Entity ID = “https://test-sp1.gakunin.nii.ac.jp/shibboleth-sp”
Protocol = shibboleth2.0
test-sp2:
Access URL = “https://test-sp2.gakunin.nii.ac.jp”
Entity ID = “https://test-sp2.gakunin.nii.ac.jp/shibboleth-sp”
Protocol = shibboleth2.0
test-sp3:
Access URL = “https://test-sp3.gakunin.nii.ac.jp”
Entity ID = “https://test-sp3.gakunin.nii.ac.jp/shibboleth-sp”
Protocol = shibboleth1.3

   (*) In order to enable an IdP to conduct tests, ‘test-sp1’ and ‘test-sp3’
   provide a function that displays a Shibbolized SP’s access log so that the
   entity can check for errors on SP’s side.

1.5) IdP for connection test to SP

In order to enable an SP to conduct tests, following test IdP is provided to the
SP developer. Please contact GakuNin Office if you would like to use testing IDs.

Entity ID = “https://test-idp1.gakunin.nii.ac.jp/idp/shibboleth”
DisplayName in DS=“GakuNin Test IdP”

2. The Mitigation of the System Administration Standards

The following items are the subject of mitigated rules for the purposes of

connection tests.

2.1) Protocol

An entity may conduct tests with various protocols as long as they do not affect
the Test Federation as a whole.

2.2) Attribute Information

An entity may use various attribute information as long as they do not affect the
Test Federation as a whole.

2.3) Trusted Certificate Authority

   Regarding the certificates for XML signature or TLS mutual authentication,
   an entity may use any certificates according to the system environment of each
   participating entity.

3. Security

In order to maintain the security of each Test-Federation participating entity,
an entity must comply with the following items stipulated in this section.

3.1) The Use of the Test Account

   When using the Test Federation, please do so with a test account and attributes
   prepared within an IdP. In cases where the use of real accounts or attributes is
   inevitable,please ensure to use them with a full understanding of the associated
   risks and at the entity’s own responsibility, and, if necessary, with an
   agreement in advance among the participating entities. This is because the Test
   Federation was developed and is operated on the assumption that each entity
   only uses test accounts and attributes. Therefore, it is highly possible that it
   lacks in the consideration necessary for using real accounts and attributes, and
   thus, there may be risks such as personal information leak.

3.2) The Responsibility of Participating Organizations

   The organizations that participate in the Test Federation shall not be liable for
   damages incurred by connection tests, apart from damages caused by intent or
   gross negligence. This rule, however, does not prevent an entity from making a
   separate arrangement among the participating organizations regarding the
   liability of connection tests.

Joining the Test Federation