Registering a Service Provider
It is likely that organisations which regularly update their implementations to use the latest version of the Shibboleth software, or use the hosted OpenAthens software, will continue to benefit from the widest range of interoperability options with other federation members. Other software may well be better suited to particular operating environments, but may not interoperate successfully with other entities in the UK federation without the expenditure of significant amounts of time and effort on the parts of both the registering organisation and the UK federation support team.
In particular, we would strongly advise that anyone intending to register a non-standard entity in the UK federation should read our core federation documents with special attention to the Technical recommendations for participants and the Federation technical specifications.
If you are unsure about a particular implementation, please feel free to contact the UK federation support team.
We have specific documentation on registering a Shibboleth or OpenAthens Keystone SP. This page gives information on how to register other SP software. You must register your SP's metadata with us in order to interoperate with other entities in the UK federation. You may need to configure more features once your SP is registered, for example authorization conditions.
Before sending the information required for registration, listed below, you must ensure the following:
- Install and configure the SP software according to the supplier's instructions.
- Obtain an X.509 certificate for the trust fabric.
- Obtain a browser-facing certificate and configure it for port 443 of your SP. The UK federation does not need to know about this browser-facing certificate.
- Your organization controls the domain in the entityID of your SP
- You have read the UK federation Operational Information page.
- You are familiar with the UK federation's Technical Recommendations for Participants, and other UK federation service documents.
Once these prerequisites have been met:
- A Management Contact for your organisation must email an SP registration request to the UK federation Helpdesk and include the information required for registration, listed below.
- We will verify this information and perform several technical checks. We may need to communicate with the registrant to rectify any issues.
- We then authenticate the trust fabric certificate(s) in the SP metadata by means of an email-based security procedure (see Certificate verification). The Management Contact must reply to our email before we can complete the registration.
- Once we have received the authentication email from the Management Contact, we will publish your SP's metadata in the UK federation metadata on the next publishing run. Please take note that metadata must propagate to the identity providers (IdPs) your SP will interoperate with.
- We will let you know by email once the UK federation metadata has been updated to include the information you have supplied.
- You can now test your SP using the UK federation test IdP.
The information required for registration should be provided in the email body of the message as plain text, please do not provide this as an attachment from your office software, if you must provide an attachment please use a text editor.
You can use the following SP registration request link to create an email message.
- entityID: The entityID is a URI identifying your service provider. It must be different from the entityID of any existing entity already in the UK federation. If your service provider is already a member of another federation please give its existing entityID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the UK federation entityID policy.
- Service Display Name: A brief name for the service. This name may be displayed on IdP login pages, and will be displayed on the Central Discovery Service (CDS) if your SP uses the CDS. Please see the federation MDUI Recommendations page for more information.
- OrganizationURL: The URL of a web page providing a description of the organisation providing the service.
- Support contact: The name and email address of one or more Support contacts. While a Support contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk').
- Technical contact: The name and email address of one or more Technical contacts. While a Technical contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk').
- Administrative contact: The name and email address of one or more Administrative contacts. Administrative contacts must be named individuals using unshared email addresses as they have the authority to amend or delete their entity's metadata. (Their names and email addresses are not published in the federation metadata.)
- Security contact: (recommended) The name and email address for one or more Security contacts.
- Metadata: Many SAML software products generate metadata matching the configuration. If your software makes the metadata available on a URL, please send the URL to us. Failing that, please send us a static copy of the metadata. And if your software does not produce metadata, please contact us and we'll find another way to assist you in registering your software.
- Requested Attributes: (recommended) Include information on the attributes your SP can use. The name of the attributes only will suffice (see the Requested Attributes page for further information). We recommend inclusion of attributes as part of the registration process to facilitate interoperability, especially with IdPs registered in other federations and imported via eduGAIN.
- Software: (recommended) The SAML product name and software version of the software you have chosen to deploy for your SP. This information enables us to gauge appropriate support levels for software in use within the federation, and we do not publish this information.
- Request Initiator: (required) The Request Initiators provide functionality to start login flows parameterised by IdP entityID. Request Initiators can be expressed in SAML metadata which means that applications can extract the Request Initiator and generate a WAYFless URL. The following element should exist within your metadata if it does not then please provide one.
- Logo: (recommended) The HTTPS-protected URL of a suitable logo. This may be displayed on IdP login pages, and will be displayed on the Central Discovery Service (CDS) if your SP uses the CDS. Please see the federation MDUI Recommendations page for more information. Please do not send image files; we do not include image files directly in the metadata.
- Description: (recommended) A short (100 character) description of the service. It may appear on the IdP login pages. Please see the federation MDUI Recommendations page for more information.
- Sirtfi compliance: If your SP complies with the Sirtfi incident response framework, please indicate that the SP has passed a self-assessment of Sirtfi v1.0. You MUST also provide the name and email address of one or more security contacts for the SP. The email addresses must be reachable from outside your organization. See our Sirtfi documentation page for more information.
- Information for Service Catalogue Send us additional information to add to our Available Services page at registration time. See How to add your Service to the list.
- Research & Scholarship (R&S) entity category: If your SP facilitates research collaboration, it may be eligible for the REFEDS R&S entity category. See our REFEDS R&S documentation page for more information.
- Data Protection Code of Conduct: If your SP is based in the EU/EEA and follows the good practices described in the GÉANT Data Protection Code of Conduct, you can assert that your SP follows the code. See our GÉANT Data Protection Code of Conduct page for more information.