The CLARIN Single Sign-On (SSO) SAML proxy is now entering its production testing phase
We are modernizing our Service Provider Federation (SPF) infrastructure to make it more reliable, flexible, faster, and easier to operate in a landscape where authentication and authorization technologies evolve rapidly.
Many of you have already heard about our plans to migrate the CLARIN SPF to an SSO proxy architecture inspired by the AARC blueprint for research infrastructures (RIs). This approach aligns us with current best practices and allows us to benefit from standardization and the experience of other communities.
Key advantages of the SSO proxy
- A normalized and consistent attribute set for all CLARIN community Service Providers (SPs).
- The ability to request missing attributes from users before they reach a CLARIN SP.
- Improved handling of Identity Providers (IdPs) that do not release essential attributes (e.g.,
email). Missing attributes can be collected directly from the user. - Guaranteed propagation of SAML metadata changes within a defined time window (currently 1 hour, adjustable).
- Extended support for OAuth use cases. Since the proxy supports OAuth, CLARIN SPs can rely on it even when upstream IdPs do not. The proxy adds OAuth functionality transparently when needed.
- More predictable SP whitelisting behavior. Although we encourage IdPs to whitelist based on the
clarin-memberentity category, in practice they whitelist byentityID. Because all community SPs behind the proxy share the sameentityID, whitelisting one effectively whitelists all. - Guaranteed synchrony between the Discovery Service (DS) entries and the IdPs trusted by the proxy.
Although our timeline has shifted for various reasons, the proof‑of‑concept phase produced strong results, and we are now ready to evaluate the operational characteristics of the new setup.
During this production testing phase, we will assess how institutional IdPs worldwide trust and interact with the proxy. This will help us fine‑tune attribute mappings across the diverse eduGAIN ecosystem. In parallel, we will deploy the proxy in a high‑availability configuration to improve resilience.
Technically, the proxy is deployed using our existing UnityIDM instance, which also hosts the CLARIN homeless IdP (clarin.eu website account). This made UnityIDM a natural and efficient choice.
The proxy establishes trust within the CLARIN SPF domain, meaning it is distributed only to IdPs in CLARIN SPF countries, and its DS lists only those IdPs.
Roadmap
- Migrate all centrally managed alpha and beta SPs to the proxy.
- Migrate all centrally managed production SPs to the proxy.
- Deploy the high‑availability setup.
More technical information and a list of SPs currently behind the proxy can be found at:
Migration considerations for CLARIN SPs
For the time being, we would like to ask you all to provide feedback and to log in to our test proxied SP using your institutional IdP:
This will help us verify the interoperability between your institutional IdP and the CLARIN SSO proxy, and adjust our attribute mappings if necessary. After logging in, you will see a page displaying the attributes released by your IdP. If any field is highlighted in red, please report it to sysops@clarin.eu.
You will soon be able to migrate seamlessly to the proxy, provided that:
- Your SP consumes the “CLARIN SPF countries” IdP feed:
https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml - You do not deploy your own DS, as the proxy already integrates one.
As a community, we will still need to discuss how to handle:
- SPs using the eduGAIN IdPs feed.
- SPs deploying their own DS.