Implementation
Details about the implementation of Shibboleth at Texas A&M University are documented here.
Authentication Payload
Shibboleth returns a standard XML SAML response.
Onboarding New Applications
New service providers are added via compiled metadata that's loaded into the Shibboleth identity server (idp.tamu.edu). IT Enterprise Operations runs this service and can add and update entries; all identity & service providers that are loaded into Shibboleth are first reviewed by Identity Security, however.
Shibboleth authentication is considered a legacy platform and should not be used for new production systems & services. To improve security and streamline access management, we are deprecating legacy platforms like Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward.
Service Provider Example Configuration
Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. For example:
https://software.tamu.edu/Shibboleth
(Preferred Format)urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu
Metadata
Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications are from OASIS.
An example document for a Service Provider might consist of the following:
<EntityDescriptor
entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
validUntil="2010-03-27T16:28:32Z">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
[base64-encoded certificate used by SP]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
index="1"
isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
index="3"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
<OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Xavier</GivenName>
<SurName>Chapa</SurName>
<EmailAddress>xchapa@tamu.edu</EmailAddress>
</ContactPerson>
</EntityDescriptor>
Legacy Federation Details
Identity Security partners with IT Enterprise Operations to maintain a legacy internal Texas A&M System multilateral federation used to power the available IdPs in TAMUS SSO (sso.tamus.edu).
Current Members
- Texas A&M University - College Station
- Prairie View A&M University - Prairie View
- Tarleton State University - Stephenville
- Texas A&M University - Commerce
- Texas A&M University - Kingsville
- Texas A&M University - Corpus Christi
- Texas A&M University - Texarkana
- Texas A&M University - West Texas
- Texas A&M Health
- Texas A&M International University
- Texas A&M AgriLife
- Texas A&M Engineering Extension Service
- Texas A&M Transportation Institute
- The Texas A&M University System
Common Attributes
Friendly Name | URN | Required | Derived |
---|---|---|---|
displayName | urn:oid:2.16.840.1.113730.3.1.241 | Yes | Yes, from given/surname |
givenName | urn:oid:2.5.4.42 | Yes | No |
sn | urn:oid:2.5.4.4 | Yes | No |
mail | urn:oid:0.9.2342.19200300.100.1.3 | Yes | No |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Yes | No |
eduPersonUniqueId | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | Yes | Yes, from tamuEduPersonUIN |
tamuEduPersonUIN | urn:oid:1.3.6.1.4.1.4391.0.12 | Yes | Yes, by split from eduPersonUniqueId |
eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | No | No |
eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | No | No |