NJEdge Federation metadata

Metadata contains information about an Identity Provider or Service Provider. It allows providers to find each other, and to verify the identity of the other provider.

Metadata for all participants in the NJEdge Federation is available from http://federation.njedge.net/metadata/njedge-fed-metadata.xml Note that at this instant, the data is not signed. This will change.

Currently this includes pilot Identity Providers at Rutgers and NJIT, and service providers at Rutgers associated with the NJVid project. As we identify additional Shibboleth Identity Providers within New Jersey higher education, K-12 and associated non-profits, we will add them to this file. Service Providers within the same community will also be added.

If you are a New Jersey institution with a Shibboleth-compatible Identity Provider, please send your metadata to shib@njedge.net for inclusion in the file. You can use the same address for questions. Please make sure to update us if your metadata changes. We would greatly appreciate it if you would create a test user and give us the password. We would like to be able to test to make sure that all of our identity providers are working properly.

We strongly recommend that your Identity Provider use a valid certificate that does not present warning messages for your login page.

Once your metadata has been added, you can test using the geneva.rutgers.edu Shibboleth test page. This URL should take you to the NJEdge discovery service. After choosing your institution, you should be prompted by your institution's identity provider for a username and password. Finally you should get a script on geneva.rutgers.edu that shows all attributes visible to the web server. Those near the end should correspond to the attributes you are exporting via Shibboleth. Geneva.rutgers.edu does not use a commercial certificate, you will get a warning message. All certificates involved with NJEdge and Rutgers identity providers and the discovery service are properly registered, and should not produce errors.

If you are planning to participate in inCommon, you will need to use certificates signed by inCommon for your metadata. Of course there's no problem sending us metadata with self-signed certificates for testing.

Identity Provider Metadata

If you want your users to use services from the NJEdge Federation, your Identity Provider must work with our Discovery Service. That means you need to add something to your Identity Provider's metadata that isn't there by default:

You need to declare a displayName. Otherwise the URL of your Identity Provider will be used in the list of institutions. We would greatly prefer to use the name of your institution. Here's an example from the metadata for the Rutgers Identity Provider:

<EntityDescriptor entityID="https://shib.oirt.rutgers.edu/idp/shibboleth"
        xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
        mlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Organization>
      <OrganizationName xml:lang="en">shib.oirt.rutgers.edu</OrganizationName>
      <OrganizationDisplayName xml:lang="en">Rutgers, the State University of New Jersey</OrganizationDisplayName>
      <OrganizationURL xml:lang="en">http://www.rutgers.edu/</OrganizationURL>
   </Organization>

<Organization> through </Organization> is added. Note that the Organization node should occur at the first level underneath the EntityDescriptor.

Using NJEdge metadata with an Identity Provider

Here is the declaration needed for an Identity Provider to use our metadata with Shibboleth 2. This allows your Identity Provider to work with services described in our metadata.

<MetadataProvider id="URLNJEDGE" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
      metadataURL="http://federation.njedge.net/metadata/njedge-fed-metadata.xml"
      backingFile="/usr/local/shibboleth-idp-2.0.0/metadata/njedge-fed-metadata.xml" />

It would normally be placed in relying-party.xml inside the ChainingMetadataProvider declaration. Check the backingFile attribute, and pick a file name that's appropriate on your server.

This may not be the only configuration change you will need to make to talk with our Service Providers. Normally you will need to configure attribute release. See the Shibboleth 2 Configuration page for more details.

Service Provider Metadata

If you want your Service Provider to use our Discovery Service, you need to add something to your Service Provider's metadata that isn't there by default:

You need to add a declaration for the callback used by the Discovery Service. Here's an example from the metadata for geneva.rutgers.edu, my test Service Provider:

<EntityDescriptor
   entityID="https://geneva.rutgers.edu/shibboleth-sp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
      <Extensions>
         <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            Location="http://geneva.rutgers.edu/Shibboleth.sso/DS"/>
         <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            index="2" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
            Location="https://geneva.rutgers.edu/Shibboleth.sso/DS"/>
      </Extensions>

<Extensions> through </Extensions> is added. Note that the Extensions node should occur at the level underneath the SPSSODescriptor, which is at the first level under the EntityDescriptor. The Location property should use the hostname of your Service Provider rather than geneva.rutgers.edu. The rest of the URL is probably right, though you need to change it if you've done a nonstandard installation of the Service Provider.

Using NJEdge metadata with a Service Provider

Here is the declaration needed for a Service Provider to use this metadata with Shibboleth 2. This allows your service provider to talk to Identity Providers for the NJEdge institutions.

<MetadataProvider type="XML" uri="http://federation.njedge.net/metadata/njedge-fed-metadata.xml"
     backingFilePath="njedge-fed-metadata.xml" reloadInterval="7200">
</MetadataProvider>

This declaration would normally be placed in shibboleth2.xml, inside the <MetadataProvider type="Chaining"> declaration, as indicated by the sample entry for federation.org.

In addition, you will probably want to use our Discovery Service. That will present users with a list of Identity Providers for institutions that have registered with the NJEdge Federation. This is appropriate if your service is intended for use by all NJEdge institutions. Otherwise, you may need to run your own discovery service. If you run a discovery service that subscribes to our metadata, you can merge the list of institutions that we support with others, or tailor the screen so that your institution is the default.

To use our discovery service, use the following SessionInitiator declaration in shibboleth2.xml. Inside the Sessions declaration in the sample .xml file you'll find a number of example SessionInitiator declarations, most of them commented out. To use our discovery service alone, make sure all the other SessionInitiator declarations are commented out, and use the following:

<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie" acsByIndex="false">
     <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
     <SessionInitiator type="Shib1" defaultACSIndex="5"/>
     <SessionInitiator type="SAMLDS" URL="https://federation.njedge.net/discovery/DS"/>
</SessionInitiator>

This is very close to one of the samples. However note the property acsByIndex="false". This is needed for version 2.0 of the Service Provider code. It should not be needed for version 2.1 or later.

If you are using version 1.x of Shibboleth, you can also use our system as a WAYF. In that case, use the URL https://federation.njedge.net/discovery/WAYF

This may not be the only configuration change you will need to use our provider. See the Shibboleth 2 Configuration page for more details.