Shibboleth Service Provider Configuration Resources

This document provides the resources necessary for setting up a Shibboleth Service Provider (SP). 

Request Form and Windows Configuration

If your department or unit has a web resource that you wish to offer to people at another institution, ask your departmental or unit IT staff to fill out the Shibboleth Configuration Request form.

Installation and configuration instructions are available for Windows servers in the document Install and Configure a Shibboleth Service Provider on Windows and IIS.

Federation Membership

The University of Michigan is a member of the InCommon Federation.

Available Attributes

The attributes released in Shibboleth SP configurations are detailed in U-M Shibboleth Attribute Release Policy and Procedure. If your SP will require additional attributes, please submit the Shibboleth Attribute Release Form.

Resources - Table of Contents

SAML Test Environment Resources

In order to implement your Shibboleth configuration, U-M requires that testing be completed.

The test metadata is available here:

The U-M metadata signing certificate will need to be installed in order for your SP to be able to use the metadata. That certificate is available here:

Some Service Provider configurations need to add the U-M assertion signing certificates separately.  If that is the case, please use the nonprod assertion signing certificate listed here. Please note this cert has been updated to work with shib-idp-staging.dsc.umich.edu.

In addition, the entityID must be included in the SP configuration, and the ID for the test environment is:

If your SP cannot consume SAML metadata, you may have to configure SSO manually. The test environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.

There are two common bindings that may be used, which are HTTP-POST or HTTP-Redirect. The end of the URL indicates whether it is POST or Redirect. The option you use depends on what your software supports. According to InCommon, every SP should at least support HTTP-POST.

If your application does not support SAML logout, you may use this URL for logout:

Important notes for logout:

  • The value after the ? tells the service what page to redirect to upon logout.
  • The logout configuration is limited to sites within the umich.edu domain, so the example of https://umich.edu/ is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, https://example.umich.edu/serviceoffered/
  • The URL must have a trailing slash.

OIDC Test Environment Resources

Install and configure OIDC software.

SAML Production Environment Resources

After testing is complete, your Shibboleth installation is ready to be configured for the production environment.

The entityID must be included in the SP configuration, and the ID for the production environment is:
https://shibboleth.umich.edu/idp/shibboleth

The production environment will require production environment metadata, which is available here:
https://shibboleth.umich.edu/md/umich-prod-idps.xml

Be sure that the U-M metadata signing certificate is also installed on your machine:
https://shibboleth.umich.edu/md/umich-md-sign.pem

Some Service Provider configurations need to add the U-M assertion signing certificates separately.  If that is the case, please use the production assertion signing certificate listed here.
https://shibboleth.umich.edu/md/shibboleth-production-cert.pem

If your SP cannot consume SAML metadata, you may have to configure SSO manually. The production environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.

There are two common bindings that may be used, which are HTTP-POST or HTTP-Redirect. The end of the URL indicates whether it is POST or Redirect. The option you use depends on what your software supports. According to InCommon, every SP should at least support HTTP-POST.

If your application does not support SAML logout, you may use this URL for logout:

Important notes for logout:

  • The value after the ? tells the service what page to redirect to upon logout.
  • The logout configuration is limited to sites within the umich.edu domain, so the example of https://umich.edu/ is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, https://example.umich.edu/serviceoffered/
  • The URL must have a trailing slash.

OIDC Production Environment Resources

Install and configure OIDC software.

Tags: 
Last Updated: 
Thursday, September 30, 2021