Shibboleth Service Provider Support

This page collects support documentation for Shibboleth Service Providers (SPs) that use the UW Shibboleth Identity Provider (IdP). These documents are intended to help ease the learning curve for inexperienced SP operators and to provide references on UW-specific Shibboleth services and configurations. We don’t intend to cover every possible SP application integration scenario, nor do we expect our documentation to replace the comprehensive and authoritative documentation provided by the Shibboleth project.

Shibboleth Project

• Shibboleth Project Home
• Shibboleth Documentation Wiki
• Shibboleth Project Mailings Lists
  • Announce – Low traffic list for important announcements such as new releases and security advisories. All SP operators should join this list.
  • Users – High traffic list used for discussion of deployment issues. You might want to subscribe, but even if not the searchable list archives are valuable for troubleshooting.
  • Dev – Used for discussion of development issues.

Installation Guides

• Install Shibboleth Service Provider 3.x on Windows and IIS
• Install Shibboleth Service Provider on Linux and Apache
• Install Apache and Shibboleth on RHEL6 (user contributed)
• Shibboleth Consortium Linux Install
• InCommon Trusted Access Platform Release

Service Provider Registration Topics

• Register a Service Provider with the UW
• Shibboleth Service Provider Registry Application
• Request Service Provider Registration with InCommon
• Transition a Service Provider Registration Between the UW and InCommon
• Certificate Rollover for Service Providers

Attribute Topics

• Guide to NameID Formats and Attributes Available from the UW IdP
• Request a NameID and Attributes from the UW IdP
• Configure a Service Provider to Use Attributes
• Signed Responses vs. Signed Assertions
• About REMOTE_USER and HTTP_REMOTEUSER
• Passing Attributes to a Tomcat Application
• IdP Provided Attributes vs. Other Sources of Information

Multi-site Configuration

• Configure a Service Provider with Multiple Web Sites (one entity ID)
• Configure a Service Provider with Multiple Web Sites (multiple entity IDs)

Session Management Topics

• Configure Service Provider Timeouts
• Configure Service Provider Logout
• Configure a Service Provider to Force Re-Authentication
• Configure a Service Provider for Two-Factor Authentication
• Configure a Service Provider for Step-up Two-Factor Authentication

Access Control Topics

• Request Conditional Access and Automatic or Conditional Two-Factor Authentication
• Using Apache “require” Directives with gws_groups
• Using the XML Access Control Plug-in

Metadata Topics

• UW IdP Metadata
• Configure a Shibboleth SP to use the InCommon Per-Entity Metadata Distribution Service
• Configure a Shibboleth SP to Consume Metadata from a Local IdP Endpoint
• Configure a Shibboleth SP to Use the InCommon Metadata Aggregate File

Federation Topics

• Configure IdP Discovery (multiple IdPs) for a Service Provider
• UW IdP Support for “R&S” Category
• Configure Shibboleth SP to use the UW Social Gateway

Client Transition Topics

• Comparison Between Pubcookie and Shibboleth Features
• Shibboleth SP Migration to IdP Native Authentication Flow – completed July 2018 – completed July 2018

Other Topics

• Apache Directives for Shibboleth Service Providers
• Guide to Service Provider Certificates
• HTTP to HTTPS Redirect

 Community Contributions

• Shibboleth on EC2 – advanced scenario
• Configuring Node.js SAML authentication using passport-saml
• Integrating the UW IdP with Pantheon WordPress websites
• mod_rewrite: WordPress and Drupal tips