Service Provider Configuration

To ensure TAMUFederation members can also participate in InCommon, TAMUFederation recommendations mirror those adopted by InCommon as much as possible. If you (or your vendor) are an InCommon member, you will receive the transientId attribute without submitting any additional information to the Identity Management Office.

Recommended server configurations for Service Providers (SPs):

EntityID

Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. Examples of EntityIDs could be:

• https://software.tamu.edu/Shibboleth (Preferred Format)
• urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu

Example SP XML

The following are example SP configuration files:

Note that the configuration file name for Service Provider v3.x is still shibboleth2.xml.

• shibboleth2.xml.prod.xml
• shibboleth2.xml.test.xml
• attribute-map.xml

Certificates

You may use a certificate from any Certificate Authority (CA), including self-signed certificates.

SP Metadata

Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications can be found in:

• http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

An example document for a Service Provider might consist of the following:

<EntityDescriptor
   entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
   validUntil="2010-03-27T16:28:32Z">  
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
          <Extensions> 
                <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                 Location="http://shibboleth.tamu.edu/Shibboleth.sso/DS"
                index="1"/>   
                <idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                 Location="https://shibboleth.tamu.edu/Shibboleth.sso/DS"
                index="2"/>
      </Extensions>
      <KeyDescriptor>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>
                  [base64-encoded certificate used by SP]
               </ds:X509Certificate>
             </ds:X509Data>
          </ds:KeyInfo>
      </KeyDescriptor>
      <NameIDFormat>
         urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      </NameIDFormat>
      <NameIDFormat>
         urn:mace:shibboleth:1.0:nameIdentifier
      </NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
                        index="1"
                        isDefault="true"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
                        index="2"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
                        index="3"/>
   </SPSSODescriptor>
      <Organization>
          <OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
          <OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
        <OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
    </Organization> 
    <ContactPerson contactType="technical">
         <GivenName>Xavier</GivenName>
         <SurName>Chapa</SurName>
         <EmailAddress>xchapa@tamu.edu</EmailAddress>
         </ContactPerson>  
</EntityDescriptor>