This document provides the resources necessary for setting up a Shibboleth Service Provider (SP).
Request Form and Windows Configuration
If your department or unit has a web resource that you wish to offer to people at another institution, ask your departmental or unit IT staff to fill out the Shibboleth Configuration Request form.
Installation and configuration instructions are available for Windows servers in the document How to Set Up a Shibboleth 2.X Service Provider on Windows and IIS.
Federation Membership
The University of Michigan is a member of the InCommon Federation.
- The federation metadata for InCommon can be obtained at https://spaces.internet2.edu/display/InCFederation/Metadata+Aggregates. U-M recommends use of the production metadata.
- The InCommon certificate is available at https://spaces.internet2.edu/display/InCFederation/Metadata+Signing+Certificate
Available Attributes
The attributes released in Shibboleth SP configurations are detailed in U-M Shibboleth Attribute Release Policy and Procedure. If your SP will require additional attributes, please submit the Shibboleth Attribute Release Form.
Test Environment Resources
In order to implement your Shibboleth configuration, U-M requires that testing be completed.
The test metadata is available here
https://shibboleth.umich.edu/md/UMich-TEST-metadata.xml
The umwebCA certificate will need to be installed in order for your SP to be able to use the metadata. That certificate is available here:
http://www.umich.edu/~umweb/umwebCA.pem
In addition, the entityID must be included in the SP configuration, and the ID for the test environment is:
https://shib-idp-test.www.umich.edu/idp/shibboleth
The test environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.
- The login URL is https://shib-idp-test.www.umich.edu/idp/profile/SAML2/Redirect/SSO
- The logout URL is https://shib-idp-test.www.umich.edu/cgi-bin/logout?http://www.umich.edu/
The value after the ? tells the service what page to redirect to upon logout. The logout configuration is limited to sites within the umich.edu domain, so the example of http://www.umich.edu is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, http://example.umich.edu/serviceoffered
Production Environment Resources
After testing is complete, your Shibboleth installation is ready to be configured for the production environment.
The entityID must be included in the SP configuration, and the ID for the production environment is:
https://shibboleth.umich.edu/idp/shibboleth
The production environment will require production environment metadata, which is available here:
https://shibboleth.umich.edu/md/UMich-metadata.xml
Be sure that the umwebCA certificate is also installed on your machine:
http://www.umich.edu/~umweb/umwebCA.pem
The production environment also has login and logout URLs that may need to be added to your SP, depending on the configuration.
- The login URL is https://shibboleth.umich.edu/idp/profile/SAML2/Redirect/SSO
- The logout URL is https://shibboleth.umich.edu/cgi-bin/logout?http://www.umich.edu/
The value after the ? tells the service what page to redirect to upon logout. The logout configuration is limited to sites within the umich.edu domain, so the example of http://www.umich.edu is used here, but a landing page for your service, put up by the organization or department hosting the service, can also be used. For example, http://example.umich.edu/serviceoffered