This page provides instructions for configuring a SAML Service Provider (SP) to use the UW Social Gateway. The target audience is SP operators who want to enable sign-on to an application using Google and/or Facebook credentials. Examples are provided for SAML SPs using Shibboleth software.
The Service Provider Registry provides an interface to register SPs to use the new UW Social gateway. By configuring an SP to use the gateway, it is possible for the SP to consume credentials from social identity providers while using only the SAML protocol. The UW Social gateway acts an intermediary and translator between SAML protocol used by the SP and native protocols used by social identity providers. This approach is an alternative to installing additional software on the SP that implements native support for social login protocols.
These instructions assume that the SP has been previously registered and that it has a working SSO configuration. If that isn't the case, start with Register a Service Provider with the UW.
The UW gateway's Facebook metadata URL is: https://idp-gw.u.washington.edu/metadata/facebook-metadata.xml.
The metadata at both locations is digitally signed using the UW IdP's signing certificate. If the metadata is downloaded via HTTPS protocol from the location listed above, signature verification is optional. If the metadata is sourced from any other location, signature verification should be configured. See UW IdP Metadata for instructions and certificate download.
<ApplicationDefaults>
...
<!-- metadata URL for Google -->
<MetadataProvider type="XML" url="https://idp-gw.u.washington.edu/metadata/google-metadata.xml"
backingFilePath="/data/apacheconfig/google-metadata.xml"
reloadInterval="7200" >
</MetadataProvider>
<!-- metadata URL for Facebook -->
<MetadataProvider type="XML" url="https://idp-gw.u.washington.edu/metadata/facebook-metadata.xml"
backingFilePath="/data/apacheconfig/facebook-metadata.xml"
reloadInterval="7200" >
</MetadataProvider>
...
</ApplicationDefaults>
<ApplicationDefaults> ... <!-- metadata URL for Google --> <MetadataProvider type="XML" url="https://idp-gw.u.washington.edu/metadata/google-metadata.xml" backingFilePath="google-metadata.xml" reloadInterval="7200" > </MetadataProvider> <!-- metadata URL for Facebook --> <MetadataProvider type="XML" url="https://idp-gw.u.washington.edu/metadata/facebook-metadata.xml" backingFilePath="facebook-metadata.xml" reloadInterval="7200" > </MetadataProvider> ... </ApplicationDefaults>
<ApplicationDefaults>
...
<Sessions>
....
<!-- login via saml proxy to Google -->
<SessionInitiator isDefault="false" type="Chaining" id="UWGOOGLE"
Location="/SHIB/idp-proxy-google" relayState="cookie"
entityID="https://idp-gw.u.washington.edu/google"
forceAuthn="false">
<!-- Uncomment the appropriate line below -->
<!-- Windows example -->
<!-- <SessionInitiator type="SAML2" template="bindingTemplate.html"/> -->
<!-- UNIX example -->
<!-- <SessionInitiator type="SAML2" template="/data/local/etc/shibboleth/bindingTemplate.html"/> -->
</SessionInitiator>
<!-- login via saml proxy to Facebook -->
<SessionInitiator isDefault="false" type="Chaining" id="UWFACEBOOK"
Location="/SHIB/idp-proxy-facebook" relayState="cookie"
entityID="https://idp-gw.u.washington.edu/facebook"
forceAuthn="false">
<!-- Uncomment the appropriate line below -->
<!-- Windows example -->
<!-- <SessionInitiator type="SAML2" template="bindingTemplate.html"/> -->
<!-- UNIX example -->
<!-- <SessionInitiator type="SAML2" template="/data/local/etc/shibboleth/bindingTemplate.html"/> -->
</SessionInitiator>
</Sessions>
...
</ApplicationDefaults>
The SessionInitiator element must be placed immediately before the closing tag of the Sessions element, as shown above.
# Google example authtype shibboleth shibrequiresession on shibRequireSessionWith UWGOOGLE require valid-user # Facebook example authtype shibboleth shibrequiresession on shibRequireSessionWith UWFACEBOOK require valid-user
<RequestMapper type="Native">
<RequestMap>
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
<Host name="app.example.org" redirectToSSL="443">
-->
<Host name="app.example.org" redirectToSSL="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
<Path name="secure2" authType="shibboleth" requireSessionWith="UWGOOGLE" requireSession="true"/>
<Path name="secure3" authType="shibboleth" requireSessionWith="UWFACEBOOK" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
The social gateway releases a SAML nameid formatted as an email address.
The attributes listed in Table 1 will be returned from the social gateway to the SP in the authentication response. For Shibboleth SPs, the SAML urns are mapped to attribute names in the attribute-map.xml file. See Configure a Service Provider to Use Attributes for more information on attribute mapping..
Table 1. Attributes released by the social gateway. The Google and Facebook names are listed for reference. An SP using the gateway will only see the friendly name and the SAML URN.
Google name | Facebook name | Gateway Friendly Name | SAML urn | Example Values |
|---|---|---|---|---|
| f(spid,subject)1 | f(spid,id)1 | eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | !!1b86e5a3b1a99c1f9e1... |
| subject | id | uid | urn:oid:0.9.2342.19200300.100.1.1 | Google: 123456789123456789123 Facebook: https://www.facebook.com/app_scoped_user_id/123456789123456 |
| family_name | last_name | sn | urn:oid:2.5.4.4 | Smith |
| given_name | first_name | givenname | urn:oid:2.5.4.42 | John |
| name | name | cn | urn:oid:2.5.4.3 | John Smith |
| urn:oid:0.9.2342.19200300.100.1.3 | jjsmith3@gmail.com |
1The eduPersonTargetedID is created by the gateway using a function based on the Google subject or the Facebook ID field.