You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

For a Shibboleth Identity Provider to join one of the Tuakiri Federations (Test/Dev or Pilot/Production), the following steps have to be done:

  • Registering the IdP in the Federation Registry
  • Configuring the IdP to load the federation metadata
  • Configuring the IdP to release the attributes required by the federation.

There will be two federations available:

  • Tuakiri TEST/Dev (operational as of March 4, 2011)
  • Tuakiri Prod/Pilot (to be live by April 15, 2011)

Federation Details

Registering an IdP into the Federation Registry

Go to the respecting Federation Registry URL and:

  • Register an Organisation for your institution (if not already registered)
  • Wait for the Organisation to be approved
  • Register your IdP under that Organisation
    • Provide the Contact Details for the IdP admin
    • Select the organisation and provide a name and description for your IdP
    • Enter the base URL for your IdP (
    • Enter the PEM encoded certificate used by your IdP for signing Shibboleth assertions
    • Select the attributes the IdP will be able to release to the federation
    • Select supported NameID formats. By default, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is already selected. If supporting SAML1, select also urn:mace:shibboleth:1.0:nameIdentifier.
    • Submit the details and wait for your IdP to be approved.

Configuring your IdP to load the federation metadata:

The code snippets in this section have values for Tuakiri TEST/DEV federation. Please update them accordingly as per the table above - which boils down to removing the "test" component from the file names / URLs in all of the cases.

  • Download the metadata signing certificate into $IDP_HOME/credentials:
    wget -O /usr/local/shibboleth-idp/credentials/tuakiri-test-metadata-cert.pem
  • In $IDP_HOME/conf/relying-party.xml
    • Add the following snippet into the ChainingMetadataProvider:
              <!-- Tuakiri Test -->
              <MetadataProvider id="Tuakiri-TEST" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                  <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                  requireSignedMetadata="true" />
    • And add the following snippet into the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element:
              <security:Credential id="Tuakiri-Test-FederationCredentials-" xsi:type="security:X509Filesystem">
  • Configure attribute release/filtering through the federation instead of explicit configuration:
    • Comment out the explicit policy for in $IDP_HOME/conf/attribute-filter.xml
    • Add the following entry into <Service id="shibboleth.AttributeFilterEngine" in $IDP_HOME/conf/service.xml (note that the URL varies for each IdP and can be obtanined from the Federation Registry):
              <ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                                    file="/usr/local/shibboleth-idp/conf/tuakiri-test-attribute-filter.xml" />

Now your IdP should be able to access service provides within the Tuakiri (Test/Dev) federation.

  • No labels