Registering a Shibboleth Service Provider
You must register your Shibboleth SP's metadata with us in order for it to interoperate with identity providers (IdPs) in the UK federation. You may need to configure more features once your SP is registered, for example authorization conditions.
The UK federation implements a policy of exporting all entities to eduGAIN (with some exceptions). More details concerning this can be found here: https://www.ukfederation.org.uk/content/Documents/EduGAINParticipation
Prerequisites
Before sending the information required for registration, listed below, you must ensure the following:
- You need to install and configure the Shibboleth service provider software. Instructions for this are on the Shibboleth V3 installation page and Shibboleth V3 Configuration pages. You then need to configure the V3 SP for use in the UK federation.
- You have obtained a browser-facing certificate and configured it for port 443 of your SP. The UK federation does not need to know about this browser-facing certificate.
- Your organization controls the domain in the entityID of your SP
- You have read the UK federation Operational Information page.
- You are familiar with the UK federation's Technical Recommendations for Participants, and other UK federation service documents.
Registration procedure
Once these prerequisites have been met:
- A Management Contact for your organisation must email an SP registration request to the UK federation Helpdesk and include the information required for registration, listed below.
- We will verify this information and perform several technical checks. We may need to communicate with the registrant to rectify any issues.
- We then authenticate the trust fabric certificate(s) in the SP metadata by means of an email-based security procedure (see Certificate verification). The Management Contact must reply to our email before we can complete the registration.
- Once we have received the authentication email from the Management Contact, we will publish your SP's metadata in the UK federation metadata on the next publishing run. Please take note that metadata must propagate to the identity providers (IdPs) your SP will interoperate with.
- We will let you know by email once the UK federation metadata has been updated to include the information you have supplied.
- You can test your SP using the UK federation test IdP.
Information required for registration
The information required for registration should be provided in the email body of the message as plain text, please do not provide this as an attachment from your office software, if you must provide an attachment please use a text editor.
You can use the following SP registration request link to create an email message.
- entityID: The entityID is a URI identifying your service provider. The Shibboleth SP software will generate this for you, but you may need to change it to ensure that it conforms with requirements. It must be different from the entityID of any existing entity already in the UK federation. If your service provider is already a member of another federation please give its existing entityID, even if it appears to be federation-specific. If it is not already a member of another federation, please consult the UK federation entityID policy.
- Service Display Name: A brief name for the service. This name may be displayed on IdP login pages, and will be displayed on Third party Discovery Services if your SP uses them. Please see the federation MDUI Recommendations page for more information.
- OrganizationURL: The URL of a web page providing a description of the organisation providing the service.
- Support contact: The name and email address of one or more Support contacts. While a Support contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk').
- Technical contact: The name and email address of one or more Technical contacts. While a Technical contact may be an individual, we would now recommend using a generic email address (either shared or a mailing list) with a generic title (such as 'Help desk').
- Administrative contact: The name and email address of one or more Administrative contacts. Administrative contacts must be named individuals using unshared email addresses as they have the authority to amend or delete their entity's metadata. (Their names and email addresses are not published in the federation metadata.)
- Security contact: (recommended) The name and email address for one or more Security contacts.
- Automatically generated metadata: The SP uses its configuration files to generate its metadata at start-up. This metadata can be found at:
https://hostname/Shibboleth.sso/Metadata
sp.example.com
. Please include the link to the metadata in your email registration request. If the metadata URL is protected by a firewall then please save the metadata as a file and send it as an attachment to your email rather than directly including it. Remember, the metadata reflects your SP's configuration dynamically, so please ensure that you are happy with your configuration before saving the file. If you are sending us the link, please do not modify the configuration file afterwards.
- Requested Attributes: (recommended) Include information on the attributes your SP can use. The name of the attributes only will suffice (see the Requested Attributes page for further information). We recommend inclusion of attributes as part of the registration process to facilitate interoperability, especially with IdPs registered in other federations and imported via eduGAIN.
- Software: (recommended) The SAML product name and software version of the software you have chosen to deploy for your SP, for example Shibboleth SP 3.0.4. This information enables us to gauge appropriate support levels for software in use within the federation, and we do not publish this information.
- Logo: (recommended) The HTTPS-protected URL of a suitable logo. This logo may be displayed on IdP login pages, and will be displayed in Third party Discovery Services if your SP uses them. Please see the federation MDUI Recommendations page for more information. Please do not send image files; we do not include image files directly in the metadata.
- Description: (recommended) A short (100 character) description of the service. It may appear on IdP login pages. Please see the federation MDUI Recommendations page for more information.
Optional information
- Sirtfi compliance: If your SP complies with the Sirtfi incident response framework, please indicate that the SP has passed a self-assessment of Sirtfi v1.0. You MUST also provide the name and email address of one or more security contacts for the SP. The email addresses must be reachable from outside your organization. See our Sirtfi documentation page for more information.
- Information for Service Catalogue Send us additional information to add to our Available Services page at registration time. See How to add your Service to the list.
- Research & Scholarship (R&S) entity category: If your SP facilitates research collaboration, it may be eligible for the REFEDS R&S entity category. If you wish to claim this, you will need to provide more information during registration. See our REFEDS R&S documentation page for details.
- Data Protection Code of Conduct: If your SP is based in the EU/EEA and follows the good practices described in the GÉANT Data Protection Code of Conduct, you can assert that your SP follows the code. If you wish to claim this, you will need to provide more information during registration. See our GÉANT Data Protection Code of Conduct page for details.