UK federation operational information

Federation metadata

Download the signed metadata file for the UK federation here:

You can download the certificate used to sign the metadata file from ukfederation.pem. The certificate is required for your identity provider or service provider configuration. For the Shibboleth IdP this is described in the "Credentials" section of the federation Shibboleth IdP configuration documentation. For the Shibboleth SP this is described in the "MetadataProvider" section of the federation Shibboleth SP configuration documentation.

However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked the certificate's fingerprint with a member of the UK Federation Operations team. You can use this openssl command to find out the SHA-1 fingerprint of the certificate that you have downloaded:

 openssl x509 -sha1 -fingerprint -noout -in ukfederation.pem

You should compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the federation helpdesk contact information page.

Testing new IdP deployments

You can test your IdP configuration using this UK federation test service provider:

The index page contains a number of links, which invoke different versions of the Discovery Service. The links marked as "full" have a list of all federation IdPs, including those that have been registered as hidden or invisible. If you click one of these links and select your IdP from the WAYF or DS page and successfully authenticate, you should see a list of environment variables, some of which contain the values of attributes released by the IdP; this allows you to test attribute generation and release as well as simple authentication.

WAYF links use the federation WAYF and will invoke a SAML1 session, which produces two displayed assertions – one for the authentication, one for the attributes. DS links use the federation Discovery Service and may invoke a SAML2 session, which produces a single displayed assertion.

If you are testing a Shibboleth IdP, and you have trouble authenticating or releasing attributes, then ensure your log levels are turned up to DEBUG (for details, see the 'logging.xml' section of the federation Shibboleth IdP configuration page) before re-testing, and check the logs; the idp-process.log is generally the most informative. If nothing is being written to the Shibboleth logs then check the Tomcat logs; it is advisable to keep checking the Tomcat logs anyway during the earlier stages of the installation.

You should not attempt to gain access to any live service until you have verified, by the use of the test page noted above, that your IdP is properly configured and releasing attributes correctly.

Testing new SP deployments

The UK federation does not operate a test IdP at present. However, if you have not deployed an IdP of your own for testing, you can create a test account at ProtectNetwork, an open-access IdP within the federation. Information on using ProtectNetwork to test your SP can be found here.

Attributes used in the UK federation

See Attribute usage for details.


The SDSS development federation was the forerunner of the UK federation.