This document provides the resources necessary for setting up a Shibboleth Service Provider (SP).
Request Form and Windows Configuration
If your department or unit has a web resource that you wish to offer to people at another institution, ask your departmental or unit IT staff to fill out the Shibboleth Configuration Request form.
Installation and configuration instructions are available for Windows servers in the document Install and Configure a Shibboleth Service Provider on Windows and IIS.
Federation Membership
The University of Michigan is a member of the InCommon Federation.
- The federation metadata for InCommon can be obtained at https://spaces.internet2.edu/display/InCFederation/Metadata+Aggregates. U-M recommends use of the production metadata.
- The InCommon certificate is available at https://spaces.internet2.edu/display/InCFederation/Metadata+Signing+Certificate
Available Attributes
The attributes released in Shibboleth SP configurations are detailed in U-M Shibboleth Attribute Release Policy and Procedure. If your SP will require additional attributes, please submit the Shibboleth Attribute Release Form.
Resources - Table of Contents
- SAML Test Environment Resources
- OIDC Test Environment Resources
- SAML Production Environment Resources
- OIDC Production Environment Resources
SAML Test Environment Resources
In order to implement your Shibboleth configuration, U-M requires that testing be completed.
The test metadata is available here:
The U-M metadata signing certificate will need to be installed in order for your SP to be able to use the metadata. That certificate is available here:
Some Service Provider configurations need to add the U-M assertion signing certificates separately. If that is the case, please use the nonprod assertion signing certificate listed here. Please note this cert has been updated to work with shib-idp-staging.dsc.umich.edu.
In addition, the entityID must be included in the SP configuration, and the ID for the test environment is:
If your SP cannot consume SAML metadata, you may have to configure SSO manually. The test environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.
There are two common bindings that may be used, which are HTTP-POST or HTTP-Redirect. The end of the URL indicates whether it is POST or Redirect. The option you use depends on what your software supports. According to InCommon, every SP should at least support HTTP-POST.
- Possible login URLs are:
- Possible logout URLs are:
If your application does not support SAML logout, you may use this URL for logout:
Important notes for logout:
- The value after the ? tells the service what page to redirect to upon logout.
- The logout configuration is limited to sites within the umich.edu domain, so the example of https://umich.edu/ is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, https://example.umich.edu/serviceoffered/
- The URL must have a trailing slash.
OIDC Test Environment Resources
Install and configure OIDC software.
- The Staging Shibboleth OIDC metadata is available at:
https://shib-idp-staging.dsc.umich.edu/.well-known/openid-configuration
SAML Production Environment Resources
After testing is complete, your Shibboleth installation is ready to be configured for the production environment.
The entityID must be included in the SP configuration, and the ID for the production environment is:
https://shibboleth.umich.edu/idp/shibboleth
The production environment will require production environment metadata, which is available here:
https://shibboleth.umich.edu/md/umich-prod-idps.xml
Be sure that the U-M metadata signing certificate is also installed on your machine:
https://shibboleth.umich.edu/md/umich-md-sign.pem
Some Service Provider configurations need to add the U-M assertion signing certificates separately. If that is the case, please use the production assertion signing certificate listed here.
https://shibboleth.umich.edu/md/shibboleth-production-cert.pem
If your SP cannot consume SAML metadata, you may have to configure SSO manually. The production environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.
There are two common bindings that may be used, which are HTTP-POST or HTTP-Redirect. The end of the URL indicates whether it is POST or Redirect. The option you use depends on what your software supports. According to InCommon, every SP should at least support HTTP-POST.
- Possible login URLs are:
- Possible logout URLs are:
If your application does not support SAML logout, you may use this URL for logout:
Important notes for logout:
- The value after the ? tells the service what page to redirect to upon logout.
- The logout configuration is limited to sites within the umich.edu domain, so the example of https://umich.edu/ is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, https://example.umich.edu/serviceoffered/
- The URL must have a trailing slash.
OIDC Production Environment Resources
Install and configure OIDC software.
- The Production Shibboleth OIDC metadata is available at:
https://shibboleth.umich.edu/.well-known/openid-configuration