I-Trust Federation Registry

I-Trust Federation Registry

Create a new Service Provider

To create a Service Provider you need the following:

  • Contact details for the Service Provider to advertise to the federation.
  • Common details such as the Organization owning the service provider, a display name and description to advertise and explain the service to end users, the URL to access the service and optionally a service logo
  • The technology stack being used. If you are using Shibboleth you will only need the hostname. If using another implementation you will need to collect the URLS for all SAML 2 endpoints it supports
  • The Public Key your Service Provider will use to sign and encrypt assertions in the federation. This must have a CN that is equal to your Service Providers hostname and be self signed
  • A list of the attributes your Service Provider requires to operate. These are defined as 'required' and 'optional'. The fewer required attributes your service has the more Identity Providers you will be compatible with. Additionally a reason for requesting each attribute must be provided which will be presented to users to help them understand how the service will utilize their private data

With the above details ready we estimate this process will take around 20 minutes to complete.

1. Primary Contact

Please enter the details you wish to advertise to the federation as the primary contact for this service provider.

2. Service Provider Description

Please select the organization this service provider belongs to and provide descriptive information below. This will be used in several locations throughout the federation.

3. SAML Configuration

The following information will be used by identity providers and end users alike to connect to your service provider.

Easy registration using defaults

For administrators of commonly used service provider software we've created an easy registration route. Simply select the software type and provide the URL of your service. e.g: https://sp.example.edu.

    Shibboleth Service Provider (1.x)  Not available, please contact support.

OR

Advanced SAML 2 registration

Tweak the values created using the easy mode above or if you're using a different SAML 2 implementation all together provide your details from scratch here.

Index:
Binding: SAML:2.0:bindings:HTTP-POST
Index:
Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Redirect

Binding: SAML:2.0:bindings:SOAP

Binding: SAML:2.0:bindings:HTTP-POST

Binding: SAML:profiles:SSO:idp-discovery-protocol

Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Redirect

Binding: SAML:2.0:bindings:SOAP

Binding: SAML:2.0:bindings:HTTP-POST

4. Public Key Certificate

The public key certificate details you provide below will be used for message signing and encryption between your service provider and identity providers in the federation. The certificate should be:

  • Self-signed - do not provide a CA-signed certificate.
  • Long-lived - we recommend a certificate valid for 10 to 20 years.
  • Issued to the same hostname as was used for this service provider's entity ID.
  • In PEM format - this allows us to ensure the certificate is valid.

5. Requested Attributes

Please select the attributes this service requires to operate and mark them required if they form an absolute pre-requisite for your service to operate correctly. For each attribute you request, a valid reason must be provided which will be reviewed by federation administrators before final approval. Reasons should be brief and should explain how this service provider will use the requested attribute. Some examples of reasons are: unique user identifier, user authorizaton, UI display customization, or user communications.

Required attributes are those without which a service cannot function. Keep this list as small as possible for maximum compatibility with identity providers.

Name Category Requested Reason for requesting Required
displayName
oid:2.16.840.1.113730.3.1.241

Preferred name of a person to be used when displaying entries. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Core
eduPersonAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.1

Specifies the persons relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. 		Core
eduPersonOrgDN
oid:1.3.6.1.4.1.5923.1.1.1.3

Specifies the persons organization DN. 		Core
eduPersonPrimaryAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.5

Specifies the persons PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc. 		Core
eduPersonPrincipalName
oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson per Internet2 and EDUCAUSE 		Core
eduPersonScopedAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.9

This attribute enables an organisation to assert its relationship with the user. 		Core
eduPersonTargetedID
oid:1.3.6.1.4.1.5923.1.1.1.10

A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities 		Core
generationQualifier
oid:2.5.4.44

Generation suffix of a person sudh as III or Jr. 		Core
givenName
oid:2.5.4.42

Given name of a person 		Core
homeOrganizationType
oid:1.3.6.1.4.1.25178.1.2.10

Type of Organization the user belongs too 		Core
iTrustAffiliation
oid:1.3.6.1.4.1.11483.101.1

Affiliations with an iTrust organization for a person 		Core
iTrustBannerUdcId
oid:1.3.6.1.4.1.11483.101.7

The user's Banner internal enterprise unique identifier managed by AITS 		Core
iTrustMiddleName
oid:1.3.6.1.4.1.11483.101.2

Persons middle name 		Core
iTrustPrimaryOrgCode
oid:1.3.6.1.4.1.11483.101.6

Primary banner org code in #-XX-### format 		Core
iTrustSuppress
oid:1.3.6.1.4.1.11483.101.3

Whether or not this user has elected FERPA suppression 		Core
mail
oid:0.9.2342.19200300.100.1.3

Preferred address for e-mail to be sent to this person 		Core
organizationName
oid:2.5.4.10

Standard name of the top-level organization (institution) with which the user is associated. 		Core
sn
oid:2.5.4.4

Surname or family name 		Core
commonName
oid:2.5.4.3

An individuals common name, typically their full name. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Optional
eduPersonNickname
oid:1.3.6.1.4.1.5923.1.1.1.2

Specifies the persons nicknames. 		Optional
isMemberOf
oid:1.3.6.1.4.1.5923.1.5.1.1

Group memberships for a person 		Optional
iTrustHomeDeptCode
oid:1.3.6.1.4.1.11483.101.5

Home department code in Banner format, N-XX-NNN 		Optional
iTrustUIN
oid:1.3.6.1.4.1.11483.101.4

Persons university ID number 		Optional
locality
oid:2.5.4.7

Locality such as city of this user. 		Optional
objectGUID
oid:1.2.840.113556.1.4.2

The user's object globally unique identifier from Active Directory 		Optional
objectSid
oid:1.2.840.113556.1.4.146

The user's object security identifier from Active Directory 		Optional
organizationalUnit
oid:2.5.4.11

Organizational Unit or primary department of staff or student 		Optional
postalAddress
oid:2.5.4.16

Business postal address: Campus or office address 		Optional
telephoneNumber
oid:2.5.4.20

Office or campus phone number of the individual 		Optional
title
oid:2.5.4.12

Job title of person 		Optional
uid
oid:0.9.2342.19200300.100.1.1

User's NetID 		Optional
userPrincipalName
oid:1.2.840.113556.1.4.656

The userPrincipalName identifier from Active Directory 		Optional

6. Service provider ready to be registered

You've now supplied all data required to register a new service provider. If you'd like to change anything or review your input please do so now. When you are ready to finalize your registration click the submit button below.