SURFconext cannot technically verify the configuration steps below as we are not a customer of this service provider. We have collected the information below from Elsevier and our connected instituions to the best of our knowledge. If you have remarks or tips you want to share, please send them to support@surfconext.nl.
Every institution gets their own instance of Elseviers service Pure. This instance is unique to your institute and needs to be be configured by you. This is known as a Single Tenant Service in SURFconext. You need to get in touch with both Elsevier and with us (support@surfconext.nl) to set things up.
When you have the instance Pure ready, the instance can be added to SURFconext by making use of the Service Provider Dashboard. See this page for a detailed description how to make use of the Service Provider Dashboard. Ask for access to the Service Provider dashboard by sending us a mail at support@surfconext.nl. We will setup a Pure space for your institute.
Configuration of Pure
The configuration of SURFconext in Pure is straightforward and documented by Elsevier. Get in touch with Elsevier at pure-support@elsevier.com to get going. Please refer to the pdf below as made by Elsevier to configure the entity in Pure. Always keep the latest documentation at hand.
Note that the full URL to the IDP metadata for SURFconext differs for test and production, use them accordingly:
- https://metadata.surfconext.nl/idp-metadata.xml (Production)
- https://metadata.test.surfconext.nl/idp-metadata.xml (Test)
Once you have completed the configuration steps as pointed out in the manual from Pure you can use SURFconext as a validation of your user through Single Sign-On with your institutions Identity Management system.
Take the used attributes into consideration before you continue. Make sure you use something unique like urn:mace:dir:attribute-def:eduPersonTargetedID, urn:mace:dir:attribute-def:eduPersonPrincipalName, or urn:mace:dir:attribute-def:uid as pointed out in the documentation from Elsevier. See the information below and read our attributes page if you want to find out more on this.
The next step is to configure Pure in SURFconext!
Configure Pure in SURFconext
When you are done setting up Pure, the instance must be added to SURFconext by making use of the Service Provider Dashboard. Ask for access to the Service Provider dashboard by sending us a mail at support@surfconext.nl. We will setup a Pure space for you. See this page for a detailed description how to make use this Dashboard.
To summarize, follow these steps:
- Ask us to setup a Pure instance for you in our SP Dashboard by sending us a mail at support@surfconext.nl. let us know who will be working on this on your end so we can send the invites to the people involved.
- If you do not have an institutional account you must setup an account using our guest IdP eduID. See this page for a detailed description how to do so.
- Configure the Pure instance in our SP Dashboard.
- A detailed description how to configure the SAML 2.0 instance can be found here.
- You can copy your Pure instance metadata URL in the 'Import URL' field of the SP Dashboard. Press import to make it so.
- Fill out all the additional fields that are not present in the Pure metadata, but needed for SURFconext. These are fields like the name of the service, contact information, etc. Use functional addresses as much as possible for the contacts (e.g. support@institution.com).
- Copy Pure's public key certificate in the certificate field.
- Choose an attribute to use with Pure and motivate the use of this attribute in the corresponding field. See the paragraph about the attribute below for suggestions.
- Check your Pure configuration to see if the configured attribute corresponds.
- Press publish and you are done with the configuration!
Remember that at this point your institute (Identity Provider) still needs to be connected to your service. This requires some action on your end as well as ours. See how this works (Dutch only).
Choose the Attribute to uniquely identify users
The service needs an attribute to uniquely identify a user. Refer to our attributes page for a complete overview of available attributes. You have got several options for for Pure to uniquely identify someone:
- urn:mace:dir:attribute-def:uid
- The uid is generally a unique code for a person that is used as the login name within the institution.
- For privacy use the eduPersonTargetedID in stead of this one
- urn:mace:dir:attribute-def:eduPersonPrincipalName
- This is a scoped identifier for a person. It should be represented as user@scope, where user is a name-based identifier for a person.
- As with the uid, it is preferred to not use this to uniquely identify users. Use the eduPersonTargetedID or instead.
- urn:mace:dir:attribute-def:eduPersonTargetedID
- The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.
- eduPersonTargetedID which is basically a copy of the NameID is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. This ID is generated for this service is unique in SURFconext and the most privacy aware you can use.
- This is not a human-readable unique identifier, e.g.: bd09168cf0c2e675b2def0ade6f50b7d4bb4aae