Revision as of 18:40, 23 May 2011

This article lists the steps necessary to implement a GFIPM Service Provider (SP):

1. Develop a GFIPM Information Sharing Plan for a Service Provider
2. Submit a Request for Federation Membership as a Service Provider
3. Choose an SP Product
4. Implement a GFIPM SP
5. Write an SP Test Plan
6. Deploy an SP in a Test Environment
7. Execute an SP Test Plan
8. Deploy an SP in an Operational Federation

Deploying an SP in a Test Environment

This section presents steps required to deploy an SP in a test environment to ensure its connectivity and interoperability with GFIPM IDPs within the context of the GFIPM Trust Fabric.

Any new SP must be "connected" to a test environment by adding the SP to the test environment's trust fabric. The trust fabric update process consists of these steps:

1. Provide your SP's entity metadata to the federation manager.
2. The federation manager adds the new entity to the test environment trust fabric.
3. All participants in the test environment load the new test environment trust fabric into their IDPs and SPs.

You can test whether your SP's entry into the test environment's trust fabric has succeeded by verifying its SAML interoperability with other systems in the test environment.

The GFIPM Reference Federation is an excellent resource that is generally available for use as a test environment for GFIPM SPs. It contains a large number of useful and necessary resources for implementing and testing your service provider. These topics are covered more thoroughly in Appendix A.

Executing an SP Test Plan

Once you have written your test plan and implemented your Service Provider, you must execute the test plan.

While software issues almost always arise during testing, experience has shown that personnel scheduling problems and network configuration problems tend to cause the most delays during testing. The bottom line is that you must make sure all required personnel (especially required testing partners from other organizations) will be available as expected during the testing process, and that all machines used in the testing process have Internet connectivity on all required ports as needed.

Work through your test plan. Take thorough notes, and compile a test report to be distributed within your organization and to all testing partners.

Deploying an SP in an Operational Federation

This section presents steps required to deploy an SP on the operational federation to ensure its connection and interoperability to the GFIPM Trust Fabric.

During your deployment in the test environment, you were able to use all the test environment's resources. If you are now deploying your SP in the NIEF operational federation, here are the equivalent production resources that you can leverage:

• Publicly accessible information about NIEF is available at https://nief.gfipm.net/.
• The NIEF Trust Fabric document is located at https://nief.gfipm.net/trust-fabric/nief-trust-fabric.xml.

Note that there are no test IDPs or SPs in an operational federation such as NIEF. The operational federation contains live data, and test identities should never be used within it.

Any new SP must be "connected" to the NIEF federation (or your own GFIPM federation) by adding the SP to the federation's trust fabric. The trust fabric update process consists of these steps:

1. Provide your SP's entity metadata to the federation manager.
2. The federation manager adds the new entity to the federation trust fabric.
3. All participants load the new federation trust fabric into their IDPs and SPs.

Before or during your deployment, you must also fill out an Implementation Documentation Form for SP and submit it to your federation manager as part of the membership application process. A template of this form is available from your federation manager. It requests the following information.

• SP software platform details (OS, Web Server, SAML Software, etc.)
• GFIPM Metadata enablement of resources
• Network configuration notes

Your ability to test your SP in the operational federation will be limited because of the lack of test IDPs in the operational federation. According to the usage policies of most SPs in an operational federation, only real users using real identities (with valid user data, permissions, and privileges) are permitted to use (i.e., test) the production systems. Therefore, when executing your SP's Test Plan in the operational federation, you must perform the necessary tests using real users (from your organization and others). As before, write a Test Report to be distributed within your organization and to all testing partners.

To publicize your organization's resources to federation users, you must supply a list of your GFIPM-available resources to the federation manager, including the following information about each resource:

• Resource name
• Resource description
• How to use the resource
• Access control policy
• Usage scenarios

Extensive examples for the above information are available at http://nief.gfipm.net/ for each of the existing participants.