• BackLinks
• Search
• Print

Registering an Identity Provider

Before applying to register an identity provider entity with the UK federation, you need to:

• Install the Shibboleth identity provider software as described in its deployment guide (see https://spaces.internet2.edu/display/SHIB/InstallingShibboleth for deployment of the Internet2 software). Follow the 'Install in Apache and Tomcat' link under Identity Provider Installation on that page.
• Obtain an X.509 certificate, as described at GetCertificate. The same certificate may be used for both an Identity Provider and a Service Provider.

Once the software has been installed and a certificate obtained, the Management Liaison should email the registration request to the UK federation Helpdesk and include the information listed below. This information will be verified and placed in an <EntityDescriptor> entry in the federation metadata.

• Administrative contact: A name and email address for the Administrative contact.
• Technical contact: A name and email address for the Technical contact. This information will be published in the federation metadata, which is in the public domain.
• Support contact: A name and email address for the Support contact. This information will be published in the federation metadata, which is in the public domain.
• User accountability: A declaration whether or not the identity provider commits to observe the provisions of 'user accountability', as defined in section 6 of the federation's Rules of Membership. Specify 'yes' or 'no'. ('yes' may require extra work by the identity provider, 'no' will deny your end users access to some services.)
• Security domains: The Security domains (scopes) for which attribute assertions made by this identity provider should be considered valid. Usually there will be only one of these and it will be either the institution's DNS domain (example.ac.uk), or the fully-qualified domain name of the server machine (shibbox.example.ac.uk).
• Organization display name: A short name (a few words at most) to identify your site. This is the text which will appear in the WAYF list of identity providers. The text selected should comply with these guidelines.
• Organization URL: The URL of a web page providing a description of the organisation or organisational unit responsible for operating the identity provider.
• Service description URL: The URL of a web page providing a description of the identity provider service itself. If omitted, this defaults to the Organization URL.
• Software: (optional) The type and release number of the software you have chosen to deploy for your IdP; e.g. reference Shibboleth IdP vsn 1.3.2. This information is optional, but providing it enables us to gauge appropriate support levels for software in use within the federation.
• Visibility: (optional - 'yes' by default) If your identity provider is not currently intended for production use you may wish it have it omitted from the list of identity providers displayed by the standard WAYF; it will still appear in the development WAYF which displays all federation identity providers. See section 6.3 of the Technical Recommendations for Participants for further details. Specify 'no' if you wish your identity provider to be omitted from the WAYF list.
• Entity ID: This is a URI identifying your identity provider. It must be different from the entity ID of any existing identity provider or service provider you may already have in the UK federation. If your identity provider is already a member of another federation please give its existing entity ID, even if it appears to be federation-specific. If your identity provider is not already a member of another federation, please consult EntityIDPolicy.
• SSO service certificate name: The common name component of the subject field in the SSO service's certificate. In most cases, this will be the fully qualified domain name of the SSO service, e.g., shibbox.example.ac.uk.
• ^†SSO service location: The URL of your Shibboleth SSO service, e.g., https://shibbox.example.ac.uk/shibboleth-idp/SSO. Note that port numbers other than the default, while allowed, may cause problems for end users behind outgoing firewalls.
• ^†Artifact resolution service location: Optionally, the URL of your Shibboleth artifact resolution service, e.g., https://shibbox.example.ac.uk:8443/shibboleth-idp/Artifact. Note that port numbers other than the default, while allowed, may cause problems for end users behind outgoing firewalls. Although this item is optional, you are encouraged to provide it if you are deploying version 1.3 or later of the Shibboleth reference software.
• AA certificate name: The common name component of the subject field in the attribute authority's certificate. This will usually be the fully qualified domain name of the attribute authority server, e.g., shibbox.example.ac.uk. It is permissible to use the same certificate for the SSO service and the attribute authority if the common names are the same.
• ^†AA location: The URL of your Shibboleth attribute authority server, e.g., https://shibbox.uni.ac.uk:8443/shibboleth-idp/AA. The same port number considerations apply as for the artifact resolution service location.
  
  ^†These locations must be given as 'https:' type URLs.

We will let you know by email once the UK federation metadata has been updated to include the information you supplied. You will then need to download the new metadata and modify your Shibboleth configuration to match it, as described at SetupIdP.

Helpdesk | Privacy Policy | Website Info
© The JNT Association - JANET(UK), Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG
Tel: 01235 822200 Fax: 01235 822399