This guide describes the process of installing and configuring a Shibboleth Service Provider to work within the CU environment.

Creighton University has standardized on Shibboleth 2.x and SAML2, as 1.3 has been depreciated.  1.3 support is not available at Creighton.

Intended Audience

This document is intended for the system administrator that will be installing and maintaining a Shibboleth service provider at Creighton University. This may be a different person than the application developer who will actually be using the attributes which Shibboleth delivers. The following basic skills are expected of the reader, and are beyond the scope of what this document attempts to cover:

• familiarity with the local operating system, including how to install software
• configuring the local web server (Apache, IIS, etc)
• basic understanding of SSL, including how to generate a key and CSR
• basic understanding of XML documents

The Shibboleth project offers documentation for installing Shibboleth on various platforms. Follow the appropriate Service Provider Installation instructions at:

• Shib 2.x Installation Instructions

Once you have Shibboleth installed, you'll need to configure the shibboleth2.xml to point to the Test Identity Provider at https://auth-test.creighton.edu/idp/shibboleth.

The location of the following configuration files will vary depending on which Shibboleth installation package you used. The most common locations are

• For Windows: c:\opt\shibboleth-sp\etc\shibboleth
• For RedHat or Ubuntu Linux: /etc/shibboleth
• ITS Solaris systems: /var/local/etc/shibboleth
• For other UNIX systems: /opt/shibboleth-sp/etc/shibboleth

Entity ID

You will need to create a globally unique URI to use as the EntityID for your application.  The URI does not need to actually resolve to anything, though the convention has been to have it resolve to the metadata for your SP.  As an example https://ami.creighton.edu/shibboleth is the EntityID for the AMI application.  Note that it also resolves to the metadata for AMI's SP. 

Metadata

Metadata, in the Shibboleth/SAML context is XML data that describes the capabilities and configuration of a SP or IDP, as well as providing certificate information for secure communication.  This metadata file must be provided to the IDP in order for it to communicate with your SP.  The IDP's metadata location must also be configured on the SP.  You will need to update the MetadataProvider element in your shibboleth2.xml file to point to: https://auth-test.creighton.edu/idp/shibboleth

Attributes

Depending on the needs of your application, you may need different identity attributes to make authorization decisions and provide basic functionality.  You will need to request these attributes to be released by the IDP.  See the page on available attributes to learn what attributes you can request.  You will need to update attribute-map.xml and attribute-policy.xml to make these attributes available to your application.  Attributes will be made available to your application in the HTTP headers.  How to access that information is outside the scope of this document.

Once you have installed and configured shibboleth, you will need to request to be added to the identity provider and to have attributes released to your SP.  You can do this by creating a service request through the service desk (402.280.1111 or servicedesk@creighton.edu) or via Self-Service.

You will need to provide the following information:

• Technical/Administrative contact information for your SP
• The metadata generated for your SP
• Attributes you would like to use

The information security office will review your request, and if it is complete and in compliance with our identity policies, we will configure the test IDP for your SP.  

Before a SP can be put into production, it must go through the change advisory board