IAMUCLA
Child pages
  • TestshibFederation
Skip to end of metadata
Go to start of metadata

Federated deployment with Testshib

Once you set up Shibboleth SP instance you will need a Certificate and Metadata to test with UCLA IdP test instance.
You have two options:
Federated deployment - You can use free certificate from a test federation, www.testshib.org
Bilateral deployment - You will use a commercial Certificate from a vendor. You have to create and exchange the Metadata with the IdP manually.

This document describes Certificate and Metadata creation & usage in a federated environment, with Testshib federation.

www.testshib.org issues free credentials that can be used for testing. UCLA IdP (test instance) is a member of this federation, registered under the name "https://shb1.ais.ucla.edu/shibboleth/idp/testhib". Go to this site and register as a "Service Provider".

Obtain Certificate and Metadata from Testshib

If you go to the registration page on the Testshib you will get a walkthrough of the steps you need to take.
We recommend registering at openidp.org, go there and "register identity".
Once you have an active account go back to www.testshib.org and go to their self-service application page and click on openidp, then login. Click on "New Service Provider".

  • hostname is your your server's hostname (e.g. https://example.ucla.edu is example.ucla.edu).
    Unknown macro: {builder-hide}

    The hostname's DNS entry needs to exist and have been propagated, but your server itself does not have be publicly visible and can remain on a department/UC only subnet.

  • name is just for casual human identification and can be whatever you will call the application.
  • Contact information is straightforward =)

Key and Certificate will be generated and posted on the screen. Save them into separate files on your Shibboleth SP server and reference them inside your shibboleth.xml file <CredentialsUse> section.

<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
   <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
   <FileResolver Id="federation_creds">
   	<Key>
   		<Path>/conf/ssl.key/myhost.testshib.key</Path>
   	</Key>
   	<Certificate>
   		<Path>/conf/ssl.crt/myhost.testshib.crt</Path>
   	</Certificate>
   </FileResolver>

Testshib also generates Metadata about your SP. Get the metadata from http://www.testshib.org/metadata/testshib-metadata.xml, save it in a file on your Shibboleth SP server and again reference it from shibboleth.xml, <MetadataProvider> section.

		<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
			uri="/etc/shibboleth/testshib-metadata.xml"/>

Testshib key & cert are meant for testing only. Do not use them in Production

For more help modifying your shibboleth.xml file you can visit any of the install guides located here.

  • No labels