skip to main content

TAMUFederation

TAMUFederation Service Provider Deployment Guide


To ensure TAMUFederation members can also participate in InCommon, TAMUFederation recommendations mirror those adopted by InCommon as much as possible.

Recommended server configurations for Service Providers (SPs):

provider ID (entityID)

Each distinct Service Provider being deployed must possess a unique identifier, called a provider ID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI.

TAMUFederation accepts unique provider IDs from participant Service Providers. https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming contains information that should be considered when selecting a provider ID.

Example SP Config XML

The following are example SP configuration files:

Certificate

You may use a certificate from any Certificate Authority (CA). If you wish to obtain a certificate from the TAMUFederation CA, please send the following information to tamufederation@tamu.edu:

  • a Certificate Signing Request (CSR) with o = Texas A and M University
  • Technical Contact name and email address

CSRs will be processed and e-mailed to the Technical Contact. The certificate will be in PEM format.

SP metadata

After installing a new Service Provider, use the URL http://localhost/Shibboleth.sso/Metadata on your Service Provider to automatically generate your metadata. For details on generating metadata, please visit https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP.

Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications can be found in:

An example document for a Service Provider might consist of the following:


<EntityDescriptor
 entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
 validUntil="2010-03-27T16:28:32Z">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
      <Extensions>
          <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                                              Location="http://shibboleth.tamu.edu/Shibboleth.sso/DS"
                                              index="1"/>
          <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                                              Location="https://shibboleth.tamu.edu/Shibboleth.sso/DS"
                                              index="2"/>
      </Extensions>
      <KeyDescriptor>
          <ds:KeyInfo>
             <ds:X509Data>
                <ds:X509Certificate>
                   [base64-encoded certificate used by SP]
                </ds:X509Certificate>
             </ds:X509Data>
          </ds:KeyInfo>
      </KeyDescriptor>
      <NameIDFormat>
          urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      </NameIDFormat>
      <NameIDFormat>
          urn:mace:shibboleth:1.0:nameIdentifier
      </NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
                                          index="1"
                                          isDefault="true"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
                                          index="2"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                          Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
                                          index="3"/>
   </SPSSODescriptor>
   <Organization>
      <OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
      <OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
      <OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
   </Organization>
   <ContactPerson contactType="technical">
      <GivenName>Xavier</GivenName>
      <SurName>Chapa</SurName>
      <EmailAddress>xchapa@tamu.edu</EmailAddress>
   </ContactPerson>
</EntityDescriptor>

For additional information or questions about the technical requirements for TAMUFederation please send mail to: tamufederation@tamu.edu.