GFIPM Reference Federation
This article provides background information about the GFIPM Reference Federation. It also provides guidance on how to use the GFIPM Reference Federation to test IDPs and SPs without the concern of exposing sensitive live data.
The GFIPM Reference Federation contains a collection of Internet-accessible IDPs and SPs that are configured for testing purposes. It also contains an IDP Discovery Service (DS).
GTRI maintains the GFIPM Reference Federation and makes it available to prospective NIEF and other GFIPM program stakeholders members for proof-of-concept and interoperability testing. The federation consists of several core software components located in a laboratory at GTRI, as well as other IDP and SP systems that may be connected to the federation from time to time. The core components of the federation are accessible via the Internet and are generally available 24/7; however, GTRI and other GFIPM stakeholders also use it as a test bed, so some of its components may be unavailable at times. To ensure availability of the GFIPM Reference Federation, GTRI recommends that you arrange an appointment at which to perform your formal testing.
To use the GFIPM Reference Federation, you must meet the following configuration and networking requirements:
- Set up and configure your organization's test IDP and/or SP in your test environment.
- Your test user(s) should use a workstation (typically a Windows PC) with an industry-standard Web browser (typically Internet Explorer).
- Your testing environment must have the following network connectivity:
- Your test users must have network connectivity to your IDP.
- Your test users should have network connectivity to the Reference IDP. While this is not required, it is a great convenience, because the Reference IDP contains a number of useful test identities that can be used by any test users.
- Your test users must have network connectivity to your SP.
- Your test users must have network connectivity to the GFIPM Reference Federation SPs and Directory Service (DS) over the Internet.
- The GFIPM Reference Federation SPs and DS are listening on ports 80 and 443 on the Internet, so your site must allow outbound traffic on these ports.
- Other test users (such as at GTRI) must have network connectivity to your SP over the Internet. This means that your test environment must allow inbound traffic to your SP server, usually on ports 80 and 443 (or possibly other ports depending on your SP).
- Note: Inbound traffic from the Internet to your IDP is not required for other test users or SPs unless your own test users need to come in from the Internet (and they are not using a VPN or other security layer). Due to security considerations, participants' IDPs are normally not exposed to the Internet.
Never disseminate live (real) data via the GFIPM Reference Federation. It is imperative that your test IDPs and SPs contain no real data when testing in the GFIPM Reference Federation or any other nonproduction GFIPM testing environment.
Agencies that are interested in the GFIPM program are invited to join the GFIPM Reference Federation to learn more about operating within the federation. By joining the GFIPM Reference Federation, an agency can do all of the following:
- Verify proper generation and processing of GFIPM Metadata.
- Verify interoperability with other federation members.
- Learn how to deploy SAML2 software.
- Test new deployment strategies.
- Use test identities to test its SP.
- Test new services with reference IDPs.
- Test IDPs with reference SPs.
- Examine and analyze other agencies' reference SPs.
The early federation components were reference implementations of each major functional component. These reference components were deployed by GTRI, and they serve two purposes. First, the process of deploying and maintaining the reference components serves as a valuable learning experience and a source of documentation artifacts that may be used by other participants. Second, the reference components themselves provide a valuable testing platform for each organization's IDP and/or SP deployments. Each reference component is discussed in the following articles:
- Reference Identity Provider (IDP)
- Reference Service Provider (SP)
- Reference IDP Discovery Service (DS)
- Useful GFIPM Reference Federation Information