Service Provider Configuration
To ensure TAMUFederation members can also participate in InCommon, TAMUFederation recommendations mirror those adopted by InCommon as much as possible. If you (or your vendor) are an InCommon member, you will receive the transientId attribute without submitting any additional information to the Identity Management Office.
Recommended server configurations for Service Providers (SPs):
EntityID
Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. Examples of EntityIDs could be:
https://software.tamu.edu/Shibboleth
(Preferred Format)urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu
Example SP XML
The following are example SP configuration files:
Note that the configuration file name for Service Provider v3.x is still shibboleth2.xml
.
Certificates
You may use a certificate from any Certificate Authority (CA), including self-signed certificates.
SP Metadata
Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications can be found in:
An example document for a Service Provider might consist of the following:
<EntityDescriptor
entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
validUntil="2010-03-27T16:28:32Z">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
<Extensions>
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="http://shibboleth.tamu.edu/Shibboleth.sso/DS"
index="1"/>
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/DS"
index="2"/>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
[base64-encoded certificate used by SP]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
index="1"
isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
index="3"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
<OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Xavier</GivenName>
<SurName>Chapa</SurName>
<EmailAddress>xchapa@tamu.edu</EmailAddress>
</ContactPerson>
</EntityDescriptor>