Shibboleth SSO Identity Provider (IdP) Certificates and Metadata

Tags Shibboleth

This page is intended for use by Shibboleth Service Provider (SP) administrators, and non-Shibboleth, SAML-based SP administrators. Nearly all SP’s (including those used for Development and Test instances of the protected application) use the Production SSO.  Note that in addition to consuming IdP metadata, the SP's certificate and metadata may need to be submitted to IAM.

Information

For configuring a 3rd Party application that supports SAML, but requires the properties be filled in manually (i.e a form requesting the SSO provider ID aka IdP entity ID) you can find the values for our IdP by searching for this tag in the metadata (see the Production SSO link below):

<EntityDescriptor entityID="https://sso.unc.edu/idp">

For convenience here are some excerpts, however the metadata URL contains more information and is likely more up to date.

PROPERTY VALUE NOTE
entityID https://sso.unc.edu/idp for InCommon Federation members use the entity ID: urn:mace:incommon:unc.edu
HTTP-POST SSO URL https://sso.unc.edu/idp/profile/SAML2/POST/SSO The most common value, but depends on the appplication
HTTP-Redirect SSO URL https://sso.unc.edu/idp/profile/SAML2/Redirect/SSO 2nd most common, a few more values listed in metadata
WantAuthnRequestsSigned="true" (Note the IdP's ASSERTION signing certificate can be downloaded from a link below)

For Shibboleth SPs and others that support metadata, use the following metadata URLs and certificates.

These metadata and signing certificate URLs are used to configure a <Metadata Provider> when setting up a shibboleth SP.

Metadata URL 

    Production SSO 

    Test SSO

    Development SSO

Metadata signing certificates

    Production SSO

    Test SSO 

    Development SSO

The assertion signing certificates below are published as part of our SSO metadata. SAML SPs which do not use metadata will need these certificates, which are used by the SP to validate SAML assertions signed by the Idp.

Assertion signing certificates 

    Production SSO

    Test SSO

    Development SSO

Assertion signing fingerprints (for SimpleSAMLphp, et. al.)

For SimpleSAMLphp sites, a fingerprint of the certificate is used. For example, one implementation has the fingerprint defined for value “certFingerprint” in file metadata/saml20-idp-remote.php.

    Production SSO

  • 8B9DBDE130328655838A41D85B9621450FA48D4B

    Test SSO

  • AEC7838A099D4D82591FE972C8D1B4D329DCC0E1

    Development SSO

  • 2C9A87E4382C6DC12CA1BE0A06B08FB1F3917A55

Mailing List

SP administrators (for UNC hosted Applications) can join this mailing list specifically for updates and information about the Shibboleth SSO Identity Provider: SibbolethDiscussion@office.unc.edu.

Glossary 

  •     Idp - Identity Provider, such as sso.unc.edu
  •     SP - Service Provider, requests authentication from Idp
  •     SAML - Security Assertion Markup Language, the XML dialect used by Shibboleth for authentication
Print Article

Details

Article ID: 233
Created
Tue 6/25/24 1:28 PM
Modified
Tue 6/25/24 9:08 PM