Support for End Users of the UK federation
End users should contact their local IT user support team.
The UK federation technical support team provides support for deployment of SAML-capable software within the UK federation. We cannot provide in-depth support for web applications which rely on that SAML software.
The UK federation also provides in-depth technical support for Shibboleth software within the UK federation, which includes support for installation, configuration and troubleshooting.
We recommend that you always use a supported release of your chosen software. We reserve the right not to support software designated end of life (EOL) by its authors and in such cases will only provide assistance in upgrading to a supported version. For example, EOL dates for Shibboleth software are available from https://wiki.shibboleth.net/confluence/display/SHIB2/SecurityAdvisories
Installing and configuring IdPs and SPs
Read the registering entities information for details of installing and configuring Identity Provider and Service Provider software.
Study the error message. Look in your log files. Increase the logging level to DEBUG if appropriate.
Then look at whether the problem is general or specific. Is it an interoperability problem with one other entity, or is it with several?
If it's with one entity only:
For the operator of an IdP with an interoperability problem with a particular SP, contact the SP operator in the first instance.
For the operator of an SP with an interoperability problem with a particular IdP, contact the IdP operator in the first instance.
The support contacts for each entity can be found in the UK federation metadata, available at
It will be useful to have had a look at your logs for signs of errors before contacting them.
If it's with several entities:
In this case it's more likely that the problem is local.
At this point, it's a good idea to turn up your logging, and to check for any recent changes that may affect your entity (is metadata still being downloaded; has a certificate expired or been replaced, has there been a modification to your firewall)
IdP operators can also use the UK federation test SP to test authentication and attribute release. Test against all relevant session initiators, check the values of attributes released using the "Session dumper" link, and view the SAML Assertion and CGI header variables.
SP operators can also use the UK federation test IdP to test authentication and attribute retrieval. A number of test accounts are provided that release various attribute sets.
If you have followed the troubleshooting advice given on this page and have not been able to determine the cause of the problem, you can get help from the UK federation technical support team. The support team has many years experience across a wide range of federated access technologies and can usually provide high quality support in a timely manner.
However, we are also a small team with many responsibilities outwith technical support (which include entity registration and operation of federation infrastructure), so occasionally we are not able to process your technical support calls immediately. Additionally, some members of the team work part-time on the helpdesk so the specialist expertise you require may not be available at all times. Please understand the context we work in. As a rough guide, we prioritise technical support in this order:
- security incidents affecting the UK federation
- incidents affecting most UK federation entities or UK federation infrastructure
- incidents affecting several production servers
- incidents affecting a single production server
- advice on configuration, deployment and entity registration
- general advice on federated access.
The Shibboleth Project
The Shibboleth project wiki includes a comprehensive section on troubleshooting. In that section are lists of IdP troubleshooting common errors and SP troubleshooting common errors. Please check these pages to see if your error is listed, and also advice for how to troubleshoot those errors.
The Shibboleth project also runs a number of mailing lists, where project developers provide high quality advice. The Shibboleth mailing lists are described here.
Community mailing lists hosted by Jiscmail
Jisc Shibboleth mailing list - general discussion regarding Shibboleth-based authentication and authorisation systems within the UK's higher and further education and research communities.
Jisc Shibboleth libraries - for HE and FE library staff involved in implementing federated access management. List appears unused.
Lis-openathensla - a discussion area for users of OpenAthens LA from Eduserv. This is a community list, and is not run by Eduserv.
lis-e-resources - discussion list for library staff. Wider scope than access management, although this does get brought up.
Third Party Support
Here is a list of federation member organisations which offer third party support in the deployment of federated access management.