Participating in the SPF

For Service Providers

If you offer any access-restricted resources, joining the Service Provider Federation (SPF) and setting up a Service Provider (

Service Provider. A Shibboleth term. Synonym for an AAI-enabled Resource, although used in a more technical sense.

See: Federated Identity

) is an interesting option. However, before you proceed, it is important that you critically assess the need to set up an SP. See this checklist.

You can join the CLARIN SPF in the following stages: Legal implementation, followed by technical implementation.

1. Legal Implementation

You will be asked to sign the CLARIN Service Provider Federation Agreement, which states:

'A new party (= service provider) enters the Service Provider Federation upon signature of the accession document Annex 5 by the New Party and the Coordinating Party of the Service Provider Federation. Such accession shall have effect from the date identified in the accession document.'

In brief, this means that the new party and the Coordinating Party (CLARIN

European Research Infrastructure Consortium

See: https://research-and-innovation.ec.europa.eu/strategy/strategy-2020-2024/our-digital-future/european-research-infrastructures/eric_en

) will sign a new Annex (= signature page) and this Annex will be attached to the original agreement deposited by the Coordinating Party.

Please complete the following steps:

1. Fill in the yellow fields of document CE-2014-0309 (CLARIN Service Provider Federation Agreement)
2. Send it by e-mail to spf [at] clarin.eu (spf[at]clarin[dot]eu), and mention the email address of who will be electronically signing
3. CLARIN ERIC will prepare the document for an electronic signing (via the signrequest service) and will send the request to sign by email
4. Once the new Service Provider and CLARIN ERIC have signed, both parties will receive an email with the signed agreement
5. Finally, if needed, CLARIN ERIC will sign specific agreements with all participating national Identity Federations on behalf of the new Service Provider (SP).
6. The Service Provider and CLARIN ERIC have to sign. After completing this stage, your Service Provider will be listed on the SPF overview page.

2. Technical Implementation

This stage requires that you complete the following steps:

1. Set up a Service Provider
2. If you have a national Identity Federation, join it with both your SP and
   Identity Provider, a (Shibboleth) server that authenticates users and conveys their attributes to requesting resources. In other terms it provides the digital identities of its users to other servers in the AAI.
   See: Federated Identity
3. Then the

   Security Assertion Markup Language

   See: http://en.wikipedia.org/wiki/SAML

   metadata of the new SP has to be distributed to each participating national Identity Federation. This is to be done by CLARIN ERIC's SPF administrators
4. Furthermore, the SAML metadata about all national Identity Federations' IdPs has to be included in the SAML metadata consumed by the SP, as specified in the SP's configuration. This is to be completed by your SP's operators
5. We finally have to verify that at least one IdP from each national Identity Federation can connect to the new SP. Please spf [at] clarin.eu (contact the SPF administrators).

For Identity Federations

1. Legal Implementation

All parties have to sign the agreement with a new Identity Federation or give a power of attorney to CLARIN ERIC (Coordinating Party) to sign the agreement.

All SPs' operators, CLARIN ERIC and the joining national Identity Federation have to sign.

2. Technical Implementation

The following steps will be performed by the CLARIN ERIC's SPF administrators in cooperation with you:

1. The SAML metadata about all of the SPF's production SPs has to be distributed to the joining national Identity Federation
2. Moreover, the SAML metadata about the joining national Identity Federation's IdPs has to be included in the SAML metadata consumed by each SPF production SP, as specified in the SPs' configurations
3. When that is done, we have to verify that at least one IdP from the joining national Identity Federation can connect to each of the SPF's production SPs.

For Users

If you want to access the SPF production SPs through your national Identity Federation, complete the following steps:

1. First, make sure that you do have an Identity Federation
2. Next, make sure that your organisation operates an Identity Provider connected to your Identity Federation. We need at least one person who can test authentication to one of our SPs with an account managed by your IdP. In case your organisation does not operate an IdP, then it will have to create one and join your national Identity Federation
3. In case of problems, spf [at] clarin.eu (contact the SPF administrators).