Skip to end of metadata
Go to start of metadata

Purpose

This document describes the procedure used by a Service Provider (SP) operator to register their SP metadata with the UW.

Background

In order for an SP to work with an IdP, the SP and IdP must have information about each other. This information is referred to as metadata. During the installation process for Windows/IIS or Linux/Apache the SP is configured to retrieve the UW IdP metadata from InCommon. The SP operator provides their SP metadata to the UW IdP via the UW Service Provider Registry (SP Registry). By registering with the UW your SP will be able to authenticate users with UW NetIDs.

If your SP needs to authenticate users from additional InCommon federation sites, you should request registration with InCommon instead.

Registration overview

Registration involves several steps:

  1. Verify that you are permitted to register and manage your SP in the SP Registry.  There are three possibilities:

    • Your SP's DNS domain is registered in UW DNS and you are registered with the UW NOC as a DNS contact for that domain (this includes any subdomain of washington.edu or uw.edu).  Proceed to step two.  
    • Your SP's DNS domain is NOT registered in UW DNS, but you have registered with us as an owner of the DNS domain at some point in the past.  Proceed to step two.  
    • Your SP's DNS domain is NOT registered in UW DNS, and you have never registered with us as an owner of it.  To register your DNS ownership with us, send an email to iam-support@uw.edu with your SP's domain name and a list of the UW NetIDs (UW people) or ePPNs (external people) that should be listed as owners of the domain for SP registration purposes.  Proceed to step two after we have registered your DNS ownership.  

  2. Gather metadata details about your SP.

    • These details include your SP's certificates, ACS endpoints, and etc.
    • If your SP's Metadata endpoint is accessible to the SP Registry, most of this information will be filled in automatically when you register. There is normally no reason not to make this information accessible to the world.

      Icon

      By default your Metadata endpoint is located at https://<your dns name>/Shibboleth.sso/Metadata

    • Otherwise you will have to fill in the details yourself.
  3. Gather information about you and your organization.
    • This includes your organization's name and web address, site administrators names and email addresses, etc.
  4. Use the SP Registry application to submit the new registration.

Registration procedure

Log in to the SP Registry and follow the automatic registration or the manual registration process described below. If your SP runs Shibboleth software and the standard metadata endpoint is accessible by the SP Registry server, you may use automatic registration.  If your SP runs some other SAML software, doesn't use the standard Shibboleth metadata endpoint, or the metadata endpoint isn't accessible by the SP Registry server, you will need to follow the manual registration instructions.

Automatic registration

  1. Click "Register a New Service Provider"
  2. Enter your SP's entityID
  3. Check the box to "Get metadata from the SP"
  4. Click continue. Most of your metadata will be filled in automatically on the registration form. If you did not meet the ownership requirements in step 1 of the "Registration overview" you will receive the error "No permission for <entityID>"
  5. Enter your organization information (Name, Display name, and URL)
  6. Enter the name, email address, and phone number for at least one contact (two contacts are strongly recommended)
  7. Verify that the other metadata is correct for your installation, meaning it matches what you have configured in your shibboleth2.xml file.

    Icon

    Complex installations, including any with multiple applications configured with ApplicationOverrides, will require manual additions to the generated text.

  8. Click "Save changes"

Allow 40 min for your SP information to propagate to the UW IdP. Testing won't work until this completes. See Flow of Metadata and Filter Policies from SP Registry to the IdP.

Manual registration

  1. Click "Register a New Service Provider"
  2. Enter your SP's entityID
  3. Clear the checkbox to "Get metadata from the SP"
  4. Click continue. A registration form will be displayed. If you did not meet the ownership requirements in step 1 of the "Registration overview" you will receive the error "No permission for <entityID>"
  5. Enter your organization information (Name, Display name, and URL)
  6. Enter the name, email address, and phone number for at least one contact (two contacts are strongly recommended)
  7. Check the boxes for protocols your SP will support
  8. In the KeyInfo section, update the certificate name as appropriate and paste in the text of your SP's PEM formatted certificate
  9. In the ACS (Assertion Consumer Service) section, verify that the binding and location information is correct for each ACS. The values provided in the form are only educated guesses based on default Shibboleth configurations and the entityID you provided. It is your responsibility to ensure the information matches what you have configured in your shibboleth2.xml file
    1. If you need to add an additional ACS, click "Add ACS," select the binding from the drop-down menu, and enter the correct URL for the location
    2. If you want to delete an ACS, click the "X" next to the location text box
  10. Click "Save changes"

Maintenance of your registration

It important for communication between our IdP and your SP, and between our administrators and yours, that your information be kept up-to-date. Return to the SP Registry at any time to update your SP's information. At the SP Registry:

  1. Enter your SP's entityID in the search box
  2. Select your SP from the list
  3. Click "Edit" on the metadata tab to edit SP metadata
  4. Update your information as needed and click "Save changes"
  • No labels