skip to main content
Infrastructure Division of Information Technology

TAMUFederation

TAMUFederation Service Provider Deployment Guide


To ensure TAMUFederation members can also participate in InCommon, TAMUFederation recommendations mirror those adopted by InCommon as much as possible.

If you (or your vendor) are an InCommon member, you will receive the transientId attribute without submitting any additional information to the Identity Management Office. To receive additional data attributes, a Data Release Form will need to be submitted for each unique service.

Recommended server configurations for Service Providers (SPs):

provider ID (entityID)

Each distinct Service Provider being deployed must possess a unique identifier, called a provider ID or entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. Examples of provider IDs could be:

  • http://software.tamu.edu/Shibboleth (preferred format)
  • urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu

TAMUFederation accepts unique provider IDs from participant Service Providers. https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming contains information that should be considered when selecting a provider ID.

Example SP Config XML

The following are example SP configuration files:

Note that the configuration file name for Service Provider v3.x is still shibboleth2.xml

Certificate

You may use a certificate from any Certificate Authority (CA), including self-signed certificates.

SP metadata

After installing a new Service Provider, use the URL http://localhost/Shibboleth.sso/Metadata on your Service Provider to automatically generate your metadata. For details on generating metadata, please visit https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP. The generated metadata or metadate URL should be submitted with the Data Release Form.

Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications can be found in:

An example document for a Service Provider might consist of the following:


<EntityDescriptor
 entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
 validUntil="2010-03-27T16:28:32Z">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
      <Extensions>
          <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                                              Location="http://shibboleth.tamu.edu/Shibboleth.sso/DS"
                                              index="1"/>
          <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                                              Location="https://shibboleth.tamu.edu/Shibboleth.sso/DS"
                                              index="2"/>
      </Extensions>
      <KeyDescriptor>
          <ds:KeyInfo>
             <ds:X509Data>
                <ds:X509Certificate>
                   [base64-encoded certificate used by SP]
                </ds:X509Certificate>
             </ds:X509Data>
          </ds:KeyInfo>
      </KeyDescriptor>
      <NameIDFormat>
          urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      </NameIDFormat>
      <NameIDFormat>
          urn:mace:shibboleth:1.0:nameIdentifier
      </NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
                                          index="1"
                                          isDefault="true"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
                                          index="2"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
                                          index="3"/>
   </SPSSODescriptor>
   <Organization>
      <OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
      <OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
      <OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
   </Organization>
   <ContactPerson contactType="technical">
      <GivenName>Xavier</GivenName>
      <SurName>Chapa</SurName>
      <EmailAddress>xchapa@tamu.edu</EmailAddress>
   </ContactPerson>
</EntityDescriptor>

For additional information or questions about the technical requirements for TAMUFederation please send mail to: tamufederation@tamu.edu.