IAM - Onboarding a Service Provider (SP)
To onboard a new SP, a request should be made to email@example.com with the following information:
Note: If the SP is an InCommon participant IAM Support will only need FERPA and attribute requests if necessary. Integrating an InCommon SP usually just requires the SP technical contact to accept our IdP.
- SP Metadata or SP Metadata URL
- Administrative contact name and email (usually the person making the request)
- Technical contact name and email (usually the pserson responsible for the SP setup)
- Any non-standard attribute configuration requirements.
- Standard attribute release for users who aren't FERPA suppressed students are:
- eduPersonPrincipalName (ePPN)
- Other attributes are available or can be made available in many cases.
- If the service is intended for use by FERPA suppressed students a request must be made to the Registrar's Office by the administrative contact, and upon approval firstname.lastname@example.org should be notified and the Access to Services Data Request form should be completed and submitted.
The SP technical contact should then either:
- Download the IdP metadata at https://md.uwm.edu/metadata/uwm-idp-metadata.xml and configure the SP with a filesystem metadata provider
- Configure the SP to use https://md.uwm.edu/metadata/uwm-idp-signed-metadata.xml AND configure the SP to validate the metadata signature with the certificate that can be downloaded from https://md.uwm.edu/files/idp.crt
IAM staff will integrate the SP metadata and test if possible.
- Use of a filesystem metadata provider is strongly encouraged.
- In cases where the SP does not fully support the SAML2 protocol the tecnical contact will need to describe the ways in which it deviates. Examples would include:
- SP can not consume encrypted assertions.
- SP requires SHA1 encryption.
- SP requires attributes that either need to be computed or are not in the standard attribute set
- For example, eduPersonEntitlement special values based on some other directory attribute.
- SP is getting user identification from SAMLNameID rather than in the attribute statement.
- If the SP does not have metadata the technical contact will need to provide IAM support with at minimum:
- SP entityID
- Assertion Consumer Service URL
- If available an x509 certificate if signing and/or encryption is expected in addition to the contacts and attribute requirements.