Skip to end of metadata
Go to start of metadata

Purpose

This document describes the procedure used by a Service Provider (SP) operator to register their SP metadata with the UW.

Background

In order for an SP to work with an IdP, the SP and IdP must have information about each other. This information is referred to as metadata. During the installation process for Windows/IIS or Linux/Apache the SP is configured to retrieve the UW IdP metadata from InCommon. The SP operator provides their SP metadata to the UW IdP via the UW Service Provider Registry (SP Registry). By registering with the UW your SP will be able to authenticate users with UW NetIDs.

If your SP needs to authenticate users from additional InCommon federation sites, you should request registration with InCommon instead.

Registration overview

Registration involves several steps:

  1. Verify that you are permitted to register and manage your SP in the SP Registry. There are three possibilities:
    • Your SP's DNS domain is registered in UW DNS and you are registered with the UW NOC as a DNS contact for that domain (this includes any subdomain of washington.edu or uw.edu).  Proceed to step two.  
    • Your SP's DNS domain is NOT registered in UW DNS, but you have registered with us as an owner of the DNS domain at some point in the past.  Proceed to step two.  
    • Your SP's DNS domain is NOT registered in UW DNS, and you have never registered with us as an owner of it.  To register your DNS ownership with us, send an email to iam-support@uw.edu with your SP's domain name and a list of the UW NetIDs (UW people) or ePPNs (external people) that should be listed as owners of the domain for SP registration purposes.  Proceed to step two after we have registered your DNS ownership.  
  2. Gather metadata details about your SP. 
    • These details include your SP's certificates, ACS endpoints, etc.
    • If your SP's Metadata endpoint is accessible to the SP Registry, most of this information can be filled in automatically when you register. There is normally no reason not to make this information accessible to the world.

  3. Gather information about you and your organization.
    • This includes your organization's name and web address, site administrators names and email addresses, etc.
  4. Use the SP Registry application to submit the new registration.

Registration procedure

Log in to the SP Registry and follow one of the registration processes described below.

Get metadata from SP

Use this process if you have a Shibboleth SP and the standard metadata endpoint (https://<your dns name>/Shibboleth.sso/Metadata) is accessible (i.e. not on a private network or firewalled from the SP Registry): 

  1. Click "Register a New Service Provider"
  2. Enter your SP's entityID
  3. Click "Continue"
  4. In the window that opens, select choice #1. Most of your metadata will be filled in automatically on the registration form. If you did not meet the ownership requirements in step 1 of the "Registration overview" you will receive the error "No permission for <entityID>".
  5. Enter your organization information (Name, Display name, and URL)
  6. Enter the name, email address, and phone number for at least one contact (two contacts are strongly recommended)
  7. Verify that the other metadata is correct for your installation, meaning it matches what you have configured in your shibboleth2.xml file.

    Icon

    Complex installations, including any with multiple applications configured with ApplicationOverrides, will require manual additions to the generated text.

  8. Click "Save changes"

Allow up to 40 minutes for your SP information to propagate to the UW IdP. Testing won't work until this completes. See Flow of Metadata and Filter Policies from SP Registry to the IdP.

Get metadata from a URL

  1. Click "Register a New Service Provider"
  2. Enter your SP's entityID
  3. Click "Continue" 
  4. In the window that opens, select choice #2. Enter a URL accessible to the SP Registry where you have placed your SP metadata file. Most of your metadata will be filled in automatically on the registration form. If you did not meet the ownership requirements in step 1 of the "Registration overview" you will receive the error "No permission for <entityID>". If a valid metadata file was not found at that URL, you will receive the error "URL did not respond with metadata".
  5. Enter your organization information (Name, Display name, and URL)
  6. Enter the name, email address, and phone number for at least one contact (two contacts are strongly recommended)
  7. Verify that the other metadata is correct for your installation, meaning it matches what you have configured in your shibboleth2.xml file.

    Icon

    Complex installations, including any with multiple applications configured with ApplicationOverrides, will require manual additions to the generated text.

  8. Click "Save changes"

Allow up to 40 minutes for your SP information to propagate to the UW IdP. Testing won't work until this completes.

Manual registration

  1. Click "Register a New Service Provider"
  2. Enter your SP's entityID
  3. Click "Continue" 
  4. In the window that opens, select choice #3. A registration form will be displayed. If you did not meet the ownership requirements in step 1 of the "Registration overview" you will receive the error "No permission for <entityID>".
  5. Enter your organization information (Name, Display name, and URL)
  6. Enter the name, email address, and phone number for at least one contact (two contacts are strongly recommended)
  7. Check the boxes for protocols your SP will support
  8. In the KeyInfo section, update the certificate name as appropriate and paste in the text of your SP's PEM formatted certificate
  9. In the ACS (Assertion Consumer Service) section, verify that the binding and location information is correct for each ACS. The values provided in the form are only educated guesses based on default Shibboleth configurations and the entityID you provided. It is your responsibility to ensure the information matches what you have configured in your shibboleth2.xml file
    1. If you need to add an additional ACS, click "Add ACS," select the binding from the drop-down menu, and enter the correct URL for the location
    2. If you want to delete an ACS, click the "X" next to the location text box
  10. Click "Save changes"

Allow up to 40 minutes for your SP information to propagate to the UW IdP. Testing won't work until this completes. See Flow of Metadata and Filter Policies from SP Registry to the IdP.

Registration by API

You can register your SP, or update it, by PUTing your metadata document to the SP Registry's metadata endpoint.

  • PUT https://iam-tools.u.washington.edu/spreg/ws/metadata?id={your_SP's_entity_id}&mdid=UW

  • Authenticate with a UWCA certificate

    • The CN or an alt_name must match the host name, or a sub-domain, of the DNS portion of the entity id.
  • The content is your metadata document.

Maintenance of your registration

It's important for communication between our IdP and your SP, and between our administrators and yours, that your information be kept up-to-date. Return to the SP Registry at any time to update your SP's information. At the SP Registry:

  1. Enter your SP's entityID in the search box
  2. Select your SP from the list
  3. Click "Edit" on the metadata tab to edit SP metadata
  4. Update your information as needed and click "Save changes"
  • No labels