I-Trust Federation Registry

To create an Identity Provider you need the following:

Contact details for the Identity Provider to advertise to the federation.
Common details such as the Organization owning the identity provider, a display name that users of the identity provider will recognize and a description of who the identity provider serves
The technology stack being used. If you are using Shibboleth you will only need the hostname. If using another implementation you will need to collect the URLS for all SAML 2 endpoints it supports
The Public Key your Identity Provider will use to sign and encrypt assertions in the federation. This must have a CN that is equal to your Identity Providers hostname and be self signed
A list of the attributes your Identity Provider is able to provide. At a minimum this should be the full set of core attributes

With the above details ready we estimate this process will take around 20 minutes to complete.

1. Primary Contact

Please enter the details you wish to advertise to the federation as the primary contact for this identity provider.

Given Name

Surname

2. Identity Provider Description

Please select the organization this identity provider belongs to and provide descriptive information below. This will be used in several locations throughout the federation including the discovery service.

Please be aware that due to technical limitations, each organization can only have one active IdP at any one time. If you require an additional IdP for your organization, please contact the I-Trust Federation managers to discuss your options.

Organization

Display Name

Description

3. SAML Configuration

The following information will be used by service providers and end users alike to connect to your identity provider.

Easy registration using defaults

For administrators of commonly used identity provider software we've created an easy registration route. Simply select the software type and provide the URL of your identity provider e.g. https://idp.example.edu.

Implementation

URL

OR

Advanced SAML 2 registration

Tweak the values created using the easy mode above or if you're using a different SAML 2 implementation all together provide your details from scratch here.

Entity ID

HTTP Post Endpoint

Binding: SAML:2.0:bindings:HTTP-POST

HTTP Redirect Endpoint

Binding: SAML:2.0:bindings:HTTP-Redirect

label.ecpendpoint

Binding: SAML:2.0:bindings:SOAP

Artifact Resolution Endpoint

Index:

Binding: SAML:2.0:bindings:HTTP-Artifact

Attribute Resolution Endpoint

Binding: SAML:2.0:bindings:SOAP

4. Attribute Scope

Please enter the scope your Identity Provider will use when asserting attributes. Generally this is the base domain for your organization.

For example if your organizations main web presence is http://www.example.edu you'd provide example.edu below.

Scope

5. Public Key Certificate

The public key certificate details you provide below will be used for message signing and encryption between your identity provider and service providers in the federation. You should provide your public key certificate in PEM format to allow us to ensure the certificate is valid.

label.certificatesigning

label.certificatebackchannel

label.certificateencryption

6. Supported Attributes

Select the attributes your identity provider supports. The wider the range of attributes you support the more services your end users will be able to access.

Name	Category	Supported
displayName `oid:2.16.840.1.113730.3.1.241` Preferred name of a person to be used when displaying entries. This attribute should not be used in transactions where it is desirable to maintain user anonymity.	Core
eduPersonAffiliation `oid:1.3.6.1.4.1.5923.1.1.1.1` Specifies the persons relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.	Core
eduPersonEntitlement `oid:1.3.6.1.4.1.5923.1.1.1.7` Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community	Core
eduPersonOrgDN `oid:1.3.6.1.4.1.5923.1.1.1.3` Specifies the persons organization DN.	Core
eduPersonPrimaryAffiliation `oid:1.3.6.1.4.1.5923.1.1.1.5` Specifies the persons PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc.	Core
eduPersonPrincipalName `oid:1.3.6.1.4.1.5923.1.1.1.6` eduPerson per Internet2 and EDUCAUSE	Core
eduPersonScopedAffiliation `oid:1.3.6.1.4.1.5923.1.1.1.9` This attribute enables an organisation to assert its relationship with the user.	Core
eduPersonTargetedID `oid:1.3.6.1.4.1.5923.1.1.1.10` A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities	Core
generationQualifier `oid:2.5.4.44` Generation suffix of a person sudh as III or Jr.	Core
givenName `oid:2.5.4.42` Given name of a person	Core
homeOrganizationType `oid:1.3.6.1.4.1.25178.1.2.10` Type of Organization the user belongs too	Core
iTrustAffiliation `oid:1.3.6.1.4.1.11483.101.1` Affiliations with an iTrust organization for a person	Core
iTrustBannerUdcId `oid:1.3.6.1.4.1.11483.101.7` The user's Banner internal enterprise unique identifier managed by AITS	Core
iTrustMiddleName `oid:1.3.6.1.4.1.11483.101.2` Persons middle name	Core
iTrustPrimaryOrgCode `oid:1.3.6.1.4.1.11483.101.6` Primary banner org code in #-XX-### format	Core
iTrustStudentLevelCode `oid:1.3.6.1.4.1.11483.101.8` Two-character student level indicator including campus Banner org digit and single letter for level (U for undergrad, G for grad, etc.)	Core
iTrustSuppress `oid:1.3.6.1.4.1.11483.101.3` Whether or not this user has elected FERPA suppression	Core
mail `oid:0.9.2342.19200300.100.1.3` Preferred address for e-mail to be sent to this person	Core
organizationName `oid:2.5.4.10` Standard name of the top-level organization (institution) with which the user is associated.	Core
sn `oid:2.5.4.4` Surname or family name	Core
commonName `oid:2.5.4.3` An individuals common name, typically their full name. This attribute should not be used in transactions where it is desirable to maintain user anonymity.	Optional
eduPersonNickname `oid:1.3.6.1.4.1.5923.1.1.1.2` Specifies the persons nicknames.	Optional
isMemberOf `oid:1.3.6.1.4.1.5923.1.5.1.1` Group memberships for a person	Optional
iTrustHomeDeptCode `oid:1.3.6.1.4.1.11483.101.5` Home department code in Banner format, N-XX-NNN	Optional
iTrustUIN `oid:1.3.6.1.4.1.11483.101.4` Persons university ID number	Optional
locality `oid:2.5.4.7` Locality such as city of this user.	Optional
objectGUID `oid:1.2.840.113556.1.4.2` The user's object globally unique identifier from Active Directory	Optional
objectSid `oid:1.2.840.113556.1.4.146` The user's object security identifier from Active Directory	Optional
organizationalUnit `oid:2.5.4.11` Organizational Unit or primary department of staff or student	Optional
postalAddress `oid:2.5.4.16` Business postal address: Campus or office address	Optional
telephoneNumber `oid:2.5.4.20` Office or campus phone number of the individual	Optional
title `oid:2.5.4.12` Job title of person	Optional
uid `oid:0.9.2342.19200300.100.1.1` User's NetID	Optional
userPrincipalName `oid:1.2.840.113556.1.4.656` The userPrincipalName identifier from Active Directory	Optional

7. Identity provider ready to be registered

You've now supplied all data required to register a new identity provider. If you'd like to change anything or review your input please do so now. When you are ready to finalize your registration click the submit button below.

Create a new Identity Provider