Implementation

Details about the implementation of Shibboleth at Texas A&M University are documented here.

Authentication Payload

Shibboleth returns a standard XML SAML response.

Onboarding New Applications

New service providers are added via compiled metadata that's loaded into the Shibboleth identity server (idp.tamu.edu). IT Enterprise Operations runs this service and can add and update entries; all identity & service providers that are loaded into Shibboleth are first reviewed by Identity Security, however.

Warning

Shibboleth authentication is considered a legacy platform and should not be used for new production systems & services. To improve security and streamline access management, we are deprecating legacy platforms like Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward.

Service Provider Example Configuration

Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. For example:

• https://software.tamu.edu/Shibboleth (Preferred Format)
• urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu

Metadata

Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications are from OASIS.

An example document for a Service Provider might consist of the following:

<EntityDescriptor
   entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
   validUntil="2010-03-27T16:28:32Z">  
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
      <KeyDescriptor>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>
                  [base64-encoded certificate used by SP]
               </ds:X509Certificate>
             </ds:X509Data>
          </ds:KeyInfo>
      </KeyDescriptor>
      <NameIDFormat>
         urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      </NameIDFormat>
      <NameIDFormat>
         urn:mace:shibboleth:1.0:nameIdentifier
      </NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
                        index="1"
                        isDefault="true"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
                        index="2"/>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                        Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
                        index="3"/>
   </SPSSODescriptor>
      <Organization>
          <OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
          <OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
        <OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
    </Organization> 
    <ContactPerson contactType="technical">
         <GivenName>Xavier</GivenName>
         <SurName>Chapa</SurName>
         <EmailAddress>xchapa@tamu.edu</EmailAddress>
         </ContactPerson>  
</EntityDescriptor>    

Legacy Federation Details

Identity Security partners with IT Enterprise Operations to maintain a legacy internal Texas A&M System multilateral federation used to power the available IdPs in TAMUS SSO (sso.tamus.edu).

Current Members

• Texas A&M University - College Station
• Prairie View A&M University - Prairie View
• Tarleton State University - Stephenville
• Texas A&M University - Commerce
• Texas A&M University - Kingsville
• Texas A&M University - Corpus Christi
• Texas A&M University - Texarkana
• Texas A&M University - West Texas
• Texas A&M Health
• Texas A&M International University
• Texas A&M AgriLife
• Texas A&M Engineering Extension Service
• Texas A&M Transportation Institute
• The Texas A&M University System

Common Attributes

Friendly Name	URN	Required	Derived
displayName	urn:oid:2.16.840.1.113730.3.1.241	Yes	Yes, from given/surname
givenName	urn:oid:2.5.4.42	Yes	No
sn	urn:oid:2.5.4.4	Yes	No
mail	urn:oid:0.9.2342.19200300.100.1.3	Yes	No
eduPersonPrincipalName	urn:oid:1.3.6.1.4.1.5923.1.1.1.6	Yes	No
eduPersonUniqueId	urn:oid:1.3.6.1.4.1.5923.1.1.1.13	Yes	Yes, from tamuEduPersonUIN
tamuEduPersonUIN	urn:oid:1.3.6.1.4.1.4391.0.12	Yes	Yes, by split from eduPersonUniqueId
eduPersonScopedAffiliation	urn:oid:1.3.6.1.4.1.5923.1.1.1.9	No	No
eduPersonAffiliation	urn:oid:1.3.6.1.4.1.5923.1.1.1.1	No	No