This article provides background information about the GFIPM Reference Federation. It also provides guidance on how to use the GFIPM Reference Federation to test IDPs and SPs without the concern of exposing sensitive live data.

Introduction

The GFIPM Reference Federation contains a collection of Internet-accessible IDPs and SPs that are configured for testing purposes. It also contains an IDP Discovery Service (DS).

GTRI maintains the GFIPM Reference Federation and makes it available to prospective NIEF and other GFIPM program stakeholders members for proof-of-concept and interoperability testing. The federation consists of several core software components located in a laboratory at GTRI, as well as other IDP and SP systems that may be connected to the federation from time to time. The core components of the federation are accessible via the Internet and are generally available 24/7; however, GTRI and other GFIPM stakeholders also use it as a test bed, so some of its components may be unavailable at times. To ensure availability of the GFIPM Reference Federation, GTRI recommends that you arrange an appointment at which to perform your formal testing.

Usage Requirements

To use the GFIPM Reference Federation, you must meet the following configuration and networking requirements:

1. Set up and configure your organization's test IDP and/or SP in your test environment.
2. Your test user(s) should use a workstation (typically a Windows PC) with an industry-standard Web browser (typically Internet Explorer).
3. Your testing environment must have the following network connectivity:
   • Your test users must have network connectivity to your IDP.
   • Your test users should have network connectivity to the Reference IDP. While this is not required, it is a great convenience, because the Reference IDP contains a number of useful test identities that can be used by any test users.
   • Your test users must have network connectivity to your SP.
   • Your test users must have network connectivity to the GFIPM Reference Federation SPs and Directory Service (DS) over the Internet.
   • The GFIPM Reference Federation SPs and DS are listening on ports 80 and 443 on the Internet, so your site must allow outbound traffic on these ports.
   • Other test users (such as at GTRI) must have network connectivity to your SP over the Internet. This means that your test environment must allow inbound traffic to your SP server, usually on ports 80 and 443 (or possibly other ports depending on your SP).
   • Note: Inbound traffic from the Internet to your IDP is not required for other test users or SPs unless your own test users need to come in from the Internet (and they are not using a VPN or other security layer). Due to security considerations, participants' IDPs are normally not exposed to the Internet.

Never disseminate live (real) data via the GFIPM Reference Federation. It is imperative that your test IDPs and SPs contain no real data when testing in the GFIPM Reference Federation or any other nonproduction GFIPM testing environment.

Agencies that are interested in the GFIPM program are invited to join the GFIPM Reference Federation to learn more about operating within the federation. By joining the GFIPM Reference Federation, an agency can do all of the following:

• Verify proper generation and processing of GFIPM Metadata.
• Verify interoperability with other federation members.
• Learn how to deploy SAML2 software.
• Test new deployment strategies.
• Use test identities to test its SP.
• Test new services with reference IDPs.
• Test IDPs with reference SPs.
• Examine and analyze other agencies' reference SPs.

The early federation components were reference implementations of each major functional component. These reference components were deployed by GTRI, and they serve two purposes. First, the process of deploying and maintaining the reference components serves as a valuable learning experience and a source of documentation artifacts that may be used by other participants. Second, the reference components themselves provide a valuable testing platform for each organization's IDP and/or SP deployments. Each reference component is discussed in the following articles:

• Reference Identity Provider (IDP)
• Reference Service Provider (SP)
• Reference IDP Discovery Service (DS)
• Useful GFIPM Reference Federation Information

Useful GFIPM Reference Federation Information

The GFIPM Reference Federation contains useful test documentation as well as reference SPs and IDPs, the Discovery Service, and the signed federation trust fabric document. These items are summarized below with their respective URLs.

• GFIPM Reference Federation Home: http://ref.gfipm.net/
  This Web site offers an introduction to current members and prospective members of a GFIPM federation for the purpose of getting started using the GFIPM Reference Federation. The GFIPM Reference Federation is a public federation that agencies interested in GFIPM are invited to join to learn more about operating within a federation. Topics covered on this Web site include the following:
  • Overview and purpose
  • Information for participating
  • Members and their reference resources
  • Downloads page
  • FAQ
  • How to get more help
• Reference Federation Downloads
• Reference Federation FAQ - A bit centric to Shibboleth deployments.
• Reference SP: https://rhelsp.ref.gfipm.netThis test Service Provider contains one Shibboleth Protected Resource, which acts as a protected resource that requires authentication at a GFIPM Reference Federation IDP. When you try to use the resource, you will be redirected to the GFIPM Reference Federation's Directory Service.
• Reference IDP: https://rhelidp.ref.gfipm.netThis test Identity Provider contains multiple test GFIPM user attribute sets for use by federation members in SAML assertions for testing. These attribute sets are suitable for testing a new Service Provider in the GFIPM Reference Federation. The attribute sets represent identities with a wide variety of authentication and privilege information. There are also multiple similar user attribute sets that vary only slightly among themselves so that testers can observe small privilege changes on their SPs.Important: Because these user attribute sets do not represent real people, they must not be used to access live data.
• GFIPM Reference Federation IDP Discovery Service (DS): http://ref.gfipm.net/ds/The DS is a service that performs the task of discovering the user's IDP and providing that information to the SP so that the SP knows which IDP to use in the subsequent SSO process.
• Federation Trust Fabric File: http://ref.gfipm.net/gfipm-signed-ref-metadata.xml A document signed by the Federation Manager Organization, containing trusted information about each IDP and SP in the federation. It includes X.509 certificate data for each software entity, as well as a GFIPM Entity Assertion providing various informational attributes about each entity. This GFIPM Trust Fabric is the cryptographic trust anchor for all federation transactions. Before any new SP or IDP can join the GFIPM Reference Federation, the federation manager must first enter it into this file. All operational SPs and IDPs must download and use this file. In addition, the providers must periodically check for new versions and download them (new versions are typically announced to the participant administrators by e-mail).
• CISA Reference SP: https://cisasp.swbs.gtri.gatech.eduThis is a complete test version of the CISAnet production SP with test resources and access control rules suitable for testing IDPs and test user identities.