Registering a Shibboleth v2 Identity Provider
Warning: please note that the Shibboleth IdP v2 went end-of-life on 31 July 2016.
This page is legacy documentation.
Organisations using the v2 IdP are encouraged to migrate as soon as possible.
You must register your Shibboleth v2 IdP's metadata with us in order for it to interoperate with service providers (SPs) in the UK federation. You may need to configure more features once your IdP is registered, for example to configure and test attribute release policies.
Before sending the information required for registration, listed below, you must ensure the following:
- You have installed and configured the Shibboleth v2 IdP software.
- You have obtained a browser-facing certificate and configured it for port 443 of your IdP. The UK federation does not need to know about this browser-facing certificate.
- Your organization controls the domain in the entityID and scopes associated with your IdP
- You may need to edit the IdP's automatically-generated metadata. The metadata is stored in
metadatasubdirectory of the installation directory. It is created when the installation script is run and not subsequently updated. This means that if you make changes to your IdP's configuration, you should also add the corresponding changes manually into the
idp-metadata.xmlfile. You may need to change the entityID from the one automatically generated by the installation script. You may also need to modify the certificate information if you decide not to use the self-signed trust fabric certificate generated during installation.
- You need to consider how your IdP will appear in discovery services and its visibility. The UK federation CDS (Central Discovery Service) acts as a fallback for SPs that do not want to run their own discovery service. Both the CDS and local discovery services should display the IdP Organization Display Name, and may display the IdP's logo. Please review the federation's IdP listing policy.
- You should be familiar with the UK federation's Technical Recommendations for Participants, and other UK federation service documents.
Once these prerequisites have been met:
- A Management Contact for your organisation must email a registration request to the UK federation Helpdesk and include the information required for registration, listed below.
- We will verify this information and perform several technical checks. We may need to communicate with the registrant to rectify any issues.
- We then authenticate the trust fabric certificate(s) in the IdP metadata by means of an email-based security procedure. The Management Contact must reply to our email before we can complete the registration.
- Once we have received the authentication email from the Management Contact, we will publish your IdP's metadata in the UK federation metadata on the next publishing run. Please take note that metadata must propagate to the SPs your IdP will interoperate with.
- We will let you know by email once the UK federation metadata has been updated to include the information you have supplied.
You should not attempt to gain access to any live service until you have verified that your identity provider is properly configured and handling attributes correctly. You can test your IdP using the UK federation test SP.
- entityID: The entityID is a URI identifying your identity provider. It must be different from the entityID of any existing identity provider or service provider already in the UK federation. If your identity provider is already a member of another federation please give its existing entityID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the federation entityID policy.
- Scopes: The scopes (security domains) for which attribute assertions made by this identity provider should be considered valid. Usually there will be only one of these and it will almost always be the organisation's domain name. This should be specified in lower case.
- Visibility: Specify "yes" or "no". Please see the federation IdP listing policy for further details. If your organisation already has a registered IdP visible in the default list, we recommend that you register any additional IdP with visibility "no"
- User accountability: Specify "yes" or "no". This is a declaration whether or not the identity provider commits to observe the provisions of 'user accountability', as defined in section 6 of the federation's Rules of Membership. ("yes" may require extra work by the identity provider operator, "no" will deny your end users access to some services.)
- Software: (recommended) The release number of the software you have chosen to deploy for your IdP; e.g. Shibboleth IdP version 2.4.4. This information enables us to gauge appropriate support levels for software in use within the federation.
- Logo: (recommended) The HTTPS-protected URL of an organizational logo, suitable for display on the CDS. It may also appear on a SP's discovery page when a user requires access. Please see the federation MDUI Recommendations page for more information.
- Organisation display name: A short name (a few words at most) to identify your IdP. This is the text which will appear in the CDS list of identity providers. The text selected should comply with these guidelines.
- Organisation URL: The URL of a web page providing a description of the organisation or organisational unit responsible for operating the identity provider.
- Support contact: The name and email address of one or more Support contacts.
- Technical contact: The name and email address of one or more Technical contacts.
- Administrative contact: The name and email address of one or more Administrative contacts. (This information is not published in the federation metadata.)
- Automatically generated metadata: Further information required for the registration of your IdP is contained in the metadata generated by your IdP installation. This is in the file
metadatasubdirectory of the IdP installation directory. You may need to edit this file before sending to us, as described above.