Registering a Shibboleth 2 Identity Provider

Before applying to register a Shibboleth 2 identity provider entity with the UK Federation, you need to:

Once the software has been installed and a certificate obtained, the Management Liaison should email the registration request to the UK Federation Helpdesk and include the information listed below. This information will be verified and placed in an <EntityDescriptor> entry in the federation metadata.

Please note: if you are upgrading a Shibboleth 1.3 IdP to Shibboleth 2.x and wish to update the IdP registration accordingly, you just need to send the automatically generated metadata as a file attachment and ask for your existing Shibboleth 1.3 IdP registration to be updated with the new Shibboleth 2.x metadata.

  • Administrative contact: A name and email address for the Administrative contact. (This information is not published in the federation metadata.)
  • Technical contact: A name and email address for the Technical contact.
  • Support contact: A name and email address for the Support contact.
  • User accountability: A declaration whether or not the identity provider commits to observe the provisions of 'user accountability', as defined in section 6 of the federation's Rules of Membership. Specify 'yes' or 'no'. ('yes' may require extra work by the identity provider operator, 'no' will deny your end users access to some services.)
  • Security domains: The security domains (scopes) for which attribute assertions made by this identity provider should be considered valid. Usually there will be only one of these and it will be either the institution's DNS domain (example.ac.uk), or the fully-qualified domain name of the server machine (idp.example.ac.uk). This should be specified in lower case.
  • Entity ID: The entity ID is a URI identifying your identity provider. It must be different from the entity ID of any existing identity provider or service provider already in the UK federation. If your identity provider is already a member of another federation please give its existing entity ID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the federation entity ID policy.
  • Organization display name: A short name (a few words at most) to identify your site. This is the text which will appear in the WAYF list of identity providers. The text selected should comply with these guidelines.
  • Organization URL: The URL of a web page providing a description of the organisation or organisational unit responsible for operating the identity provider.
  • Service description URL: The URL of a web page providing a description of the identity provider service itself. If omitted, this defaults to the Organization URL.
  • Software: (optional) The type and release number of the software you have chosen to deploy for your IdP; e.g. reference Shibboleth IdP vsn 2.1.5. This information is optional, but providing it enables us to gauge appropriate support levels for software in use within the federation.
  • Visibility: (optional - 'yes' by default) If your identity provider is not currently intended for production use you may wish it have it omitted from the list of identity providers displayed by the standard, or filtered, WAYF; it will still appear in the development, or unfiltered, WAYF which displays all federation identity providers. See section 6.3 of the Technical Recommendations for Participants PDF File for further details. Specify 'no' if you wish your identity provider to be omitted from the WAYF list.
  • MDUI logo and text: (optional) A logo and display name. This will be displayed on the centralised discovery service (WAYF) as a quick login link and it may also appear on the SP's discovery page. There is more information at MDUIRecommendations.
  • Automatically generated metadata: Other information required for the registration of your IdP is contained in the metadata generated by your IdP installation. This is in the file idp-metadata.xml in the metadata subdirectory of the IdP installation directory.
    Please note that you will first need to edit the idp-metadata.xml file to correct the scope asserted; in the current version it will appear as "ac.uk" for all *.ac.uk domains.
    Unlike the Shibboleth 2 SP, which generates the metadata from the configuration files dynamically on demand, the IdP metadata is generated on initial configuration only, i.e. when you run the installation script. This means that if you make subsequent changes to your IdP's configuration, you should also edit the corresponding changes manually into the idp-metadata.xml file. In particular, you will need to modify the certificate information if you are using a CA certificate for the federation trust fabric (instead of the self-signed certificate generated by the installation). You may also need to change the entity ID from the one automatically generated by the installation script.

    Once you have made any such changes, please attach this metadata file to your email registration request: do not embed its contents within the email message.

We will let you know by email once the UK Federation metadata has been updated to include the information you have supplied.