Set Up a SAML Service Provider for use with Shibboleth at U-M

There are six steps to setting up a Shibboleth Service Provider (SP) with the SAML protocol at U-M. Watch this two-minute video to learn about the process.

1. Install and configure the Shibboleth Service Provider software. If you like, you can set it up to use two-factor authentication:
   • Shibboleth Service Provider Configuration Resources
     This document provides the metadata, web certificate, and entityID information for the U-M Identity Provider (IdP) test and production environment.
   • Complete the applicable procedure:
     • Install and Configure a Shibboleth Service Provider for SAML on Windows and IIS
       This document provides configuration instructions for configuring your own Shibboleth Service Provider on Windows.
     • Install and Configure a Shibboleth Service Provider for SAML on Linux and Apache
       This document provides configuration instructions for configuring your own Shibboleth Service Provider on Linux.
   • If desired, complete the applicable procedure to set up two-factor authentication:
     • Configure Your Service Provider for Two-Factor Authentication
       This document provides configuration instructions for enabling two-factor authentication on your Shibboleth Service Provider.
     • Configure Your Service Provider for Step-Up Two-Factor Authentication
       This document provides configuration assistance for implementing two-factor authentication for only a portion of a Shibboleth Service Provider.
2. Generate the SP metadata, which allows your SP and the U-M IdP to communicate.
3. Test the installation to make sure your SP is set up properly. Instructions for testing are in the relevant setup documentation for your SP.
4. Contact the ITS Identity and Access Management team. 
   1. Submit the Shibboleth Configuration Request Form. You'll need to provide the following information:
      • Your SP's metadata
      • Contact information for the people supporting and configuring your service
      • The entity ID or host name of your service
      • The attributes your service will need to work
   2. Review the Attributes Pre-Approved for U-M Release to see if your service will need additional attributes. If so, complete the Shibboleth Attribute Release Request Form.
   3. The ITS Identity and Access Management team will contact you to let you know that your service has been set up with the staging IdP.
5. Test your service to make sure that the right information is being released, and to confirm that people are able to log in. Be aware of the relevant Test Environment Resources. If your tests pass, your SP is ready for step six.
6. Prepare for production by updating your configuration files with the Production Environment Resources. Re-generate your metadata and provide it to the Identity and Access Management team.

Releasing a new Shibboleth SP to production could, for complex configurations, take the Identity and Access Management team up to two weeks. Configurations requiring additional attributes, or customized authorization setups can take longer.

Configuration Assistance

Additional assistance for U-M IT staff members:

• For SSO examples, including shibboleth-sp and simplesamlphp-sp, see the SSO Examples in GitHub.
• See the Django SAML2 Authentication Made Easy project in GitHub for “a dead simple way to integrate SAML2 Authentication into your Django powered app.”
• See OneLogin's SAML Python Toolkit in GitHub to add SAML support to your Python software using this library.
• For additional instructions , see the documentation provided by ITS or the Shibboleth Project wiki.

Questions or concerns? Send email to: [email protected].

Note: If you're adding Shibboleth to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed.