Skip to main content

Implementation

Details about the implementation of Shibboleth at Texas A&M University are documented here.

Authentication Payload

Shibboleth returns a standard XML SAML response.

Onboarding New Applications

New service providers are added via compiled metadata that's loaded into the Shibboleth identity server (idp.tamu.edu). IT Enterprise Operations runs this service and can add and update entries; all identity & service providers that are loaded into Shibboleth are first reviewed by Identity Security, however.

Warning

Shibboleth authentication is considered a legacy platform and should not be used for new production systems & services. To improve security and streamline access management, we are deprecating legacy platforms like Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward.

Service Provider Example Configuration

Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. For example:

  • https://software.tamu.edu/Shibboleth (Preferred Format)
  • urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu

Metadata

Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications are from OASIS.

An example document for a Service Provider might consist of the following:

<EntityDescriptor
entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
validUntil="2010-03-27T16:28:32Z">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
      <KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
[base64-encoded certificate used by SP]
</ds:X509Certificate>
             </ds:X509Data>
          </ds:KeyInfo>
      </KeyDescriptor>
      <NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
index="1"
                        isDefault="true"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
                        index="2"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
                        index="3"/>
   </SPSSODescriptor>
   <Organization>
      <OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
      <OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
</Organization>
    <ContactPerson contactType="technical">
      <GivenName>Xavier</GivenName>
   <SurName>Chapa</SurName>
     <EmailAddress>xchapa@tamu.edu</EmailAddress>
  </ContactPerson>
</EntityDescriptor>

Legacy Federation Details

Identity Security partners with IT Enterprise Operations to maintain a legacy internal Texas A&M System multilateral federation used to power the available IdPs in TAMUS SSO (sso.tamus.edu).

Current Members

Common Attributes

Friendly NameURNRequiredDerived
displayNameurn:oid:2.16.840.1.113730.3.1.241YesYes, from given/surname
givenNameurn:oid:2.5.4.42YesNo
snurn:oid:2.5.4.4YesNo
mailurn:oid:0.9.2342.19200300.100.1.3YesNo
eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6YesNo
eduPersonUniqueIdurn:oid:1.3.6.1.4.1.5923.1.1.1.13YesYes, from tamuEduPersonUIN
tamuEduPersonUINurn:oid:1.3.6.1.4.1.4391.0.12YesYes, by split from eduPersonUniqueId
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9NoNo
eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1NoNo