Add SURF as a Shibboleth federation

[simong]

It looks like we're in SURF but we're not pulling the set of IdPs we can interface with.

IIUC Surf is not like regular Shibboleth federations but more like a gatekeeper, each institution can toggle which service provider can access their IdP. According to their wiki page we can pull down the list of identity providers we can interface with at:

https://engine.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=https://shib-sp.unity.ac/shibboleth

(I'm aware there are no Identity Providers in there yet)

I think it's just a matter of adding an extra MetadataProvider in the shibboleth config. Once institutions have added (=bought?) the Unity service within SurfContext, their IdP should appear in the list and we should pull it down.

[simong]

Assigning to @davidoae

[davidoae]

OK, some of the shib terminology and processes still bemuses me however I'm fairly sure that we don't need to add the metadata in shib config as their idp is already in the uk federation metadata.
Checking the uk fed data here...
http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
... I can see the vu.nl identityID.

I think all that needs to happen is that someone needs to contact the institution and get them to tell edugain to release the attributes to us.
I hear that Nico already has some sort of relationship with them, maybe he'd know whom to contact there to get the institution to do this.
Unquestionably Steve Potter understands this much better than I and he seems confident about this.

[davidoae]

Nico indicted he's in communication with the institution about this.