Set Up a SAML Service Provider for use with Shibboleth at U-M

There are six steps to setting up a Shibboleth Service Provider (SP) with the SAML protocol at U-M. Watch this two-minute video to learn about the process.

Note: The latest version of the Shibboleth Service Provider software is SP3.  Please refer to the Shibboleth SP3 wiki for the most updated information for installation and configuration.
  1. Install and configure the Shibboleth Service Provider software. If you like, you can set it up to use two-factor authentication:
  2. Generate the SP metadata, which allows your SP and the U-M IdP to communicate.
  3. Test the installation to make sure your SP is set up properly. Instructions for testing are in the relevant setup documentation for your SP.
  4. Contact the ITS Identity and Access Management team. 
    1. Submit the Shibboleth Configuration Request Form. You'll need to provide the following information:
      • Your SP's metadata
      • Contact information for the people supporting and configuring your service
      • The entity ID or host name of your service
      • The attributes your service will need to work
    2. Review the Attributes Pre-Approved for U-M Release to see if your service will need additional attributes. If so, complete the Shibboleth Attribute Release Request Form.
    3. The ITS Identity and Access Management team will contact you to let you know that your service has been set up with the staging IdP.
  5. Test your service to make sure that the right information is being released, and to confirm that people are able to log in. Be aware of the relevant Test Environment Resources. If your tests pass, your SP is ready for step six.
  6. Prepare for production by updating your configuration files with the Production Environment Resources. Re-generate your metadata and provide it to the Identity and Access Management team.

Releasing a new Shibboleth SP to production could, for complex configurations, take the Identity and Access Management team up to two weeks. Configurations requiring additional attributes, or customized authorization setups can take longer.

Configuration Assistance

Additional assistance for U-M IT staff members:

Questions or concerns? Send email to: [email protected].

Note: If you're adding Shibboleth to a vendor-provided service, the Identity and Access Management team is happy to work with the vendor on technical issues, but it is expected that you will maintain the vendor relationship and initiate contact with the vendor when needed.

Last Updated: 
Monday, September 19, 2022