Registering a Shibboleth 2 Identity Provider

Before applying to register a Shibboleth 2 identity provider entity with the UK Federation, you need to:

  • Install the Internet2 reference software implementation: go to https://spaces.internet2.edu/display/SHIB2/Home and follow the instructions.
  • Obtain an X.509 certificate for the federation trust fabric, as described at GetCertificate. The same certificate may be used for both an Identity Provider and a Service Provider. (The Shibboleth 2 IdP installation script generates a long-life self-signed certificate, but some federation service providers cannot interoperate with an IdP with a self-signed certificate).
  • Edit the automatically generated metadata as described below.

Once the software has been installed and a certificate obtained, the Management Liaison should email the registration request to the UK Federation Helpdesk and include the information listed below. This information will be verified and placed in an <EntityDescriptor> entry in the federation metadata.

  • Administrative contact: A name and email address for the Administrative contact.
  • Technical contact: A name and email address for the Technical contact.
  • Support contact: A name and email address for the Support contact.
  • User accountability: A declaration whether or not the identity provider commits to observe the provisions of 'user accountability', as defined in section 6 of the federation's Rules of Membership. Specify 'yes' or 'no'. ('yes' may require extra work by the identity provider, 'no' will deny your end users access to some services.)
  • Security domains: The Security domains (scopes) for which attribute assertions made by this identity provider should be considered valid. Usually there will be only one of these and it will be either the institution's DNS domain (example.ac.uk), or the fully-qualified domain name of the server machine (shibbox.example.ac.uk).
  • Entity ID: The entity ID is a URI identifying your identity provider. It must be different from the entity ID of any existing identity provider or service provider you may already have in the UK federation. If your identity provider is already a member of another federation please give its existing entity ID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult EntityIDPolicy.
  • Organization display name: A short name (a few words at most) to identify your site. This is the text which will appear in the WAYF list of identity providers. The text selected should comply with these guidelines.
  • Organization URL: The URL of a web page providing a description of the organisation or organisational unit responsible for operating the identity provider.
  • Service description URL: The URL of a web page providing a description of the identity provider service itself. If omitted, this defaults to the Organization URL.
  • Software: (optional) The type and release number of the software you have chosen to deploy for your IdP; e.g. reference Shibboleth IdP vsn 1.3.2. This information is optional, but providing it enables us to gauge appropriate support levels for software in use within the federation.
  • Visibility: (optional - 'yes' by default) If your identity provider is not currently intended for production use you may wish it have it omitted from the list of identity providers displayed by the standard, or filtered, WAYF; it will still appear in the development, or unfiltered, WAYF which displays all federation identity providers. See section 6.3 of the Technical Recommendations for Participants PDF File for further details. Specify 'no' if you wish your identity provider to be omitted from the WAYF list.

  • Automatically generated metadata: Other information required for the registration of your IdP is contained in the metadata generated by your IdP installation at
    .../shibboleth-idp/metadata/idp-metadata.xml
    Unlike the Shibboleth 2 SP, which generates the metadata from the configuration files dynamically on demand, the IdP metadata is generated on initial configuration only, i.e. when you run the installation script. This means that if you make subsequent changes to your IdP's configuration, you should also edit corresponding changes manually into the idp-metadata.xml file. In particular, you will probably need to correct the scope asserted, which in the current version will appear as just "ac.uk" for all *.ac.uk domains, and modify the certificate information if you are not using the self-signed certificate generated by the installation. You may also wish to change the entity ID from the one automatically generated by the installation script.
    Once you have made any such changes, please attach this metadata file to your email registration request: do not embed its contents within the email message.

We will let you know by email once the UK Federation metadata has been updated to include the information you have supplied.