IAMUCLA
Child pages
  • TestshibFederation

Versions Compared

Old Version 89

changes.mady.by.user user-2d79d

Saved on

compared with

New Version 90

changes.mady.by.user user-2d79d

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
Wiki Markup
h2. Federated deployment with Testshib

Once you set up Shibboleth SP instance you will need a Certificate and Metadata to test with UCLA {nl:IdP} test instance.
You have two options:
_Federated deployment_ - You can use free certificate from a test federation, www.testshib.org
_Bilateral deployment_ - You will use a commercial Certificate from a vendor. You have to create and exchange the Metadata with the IdP manually.

This document describes Certificate and Metadata creation & usage in a federated environment, with Testshib federation.

www.testshib.org issues free credentials that can be used for testing. UCLA {nl:IdP} (test instance) is a member of this federation, registered under the name "https://shb1.ais.ucla.edu/shibboleth/idp/testhib". Go to this site and register as a "Service Provider". 

h3. Obtain Certificate and Metadata from Testshib

If you go to the [registration page on the Testshib|https://www.testshib.org/testshib-reg/] you will get a walkthrough of the steps you need to take.  
We recommend [registering at openidp.org|http://openidp.org/user/register], go there and "register identity".  
Once you have an active account go back to www.testshib.org and go to their [self-service application|https://www.testshib.org/testshib-reg/login.do] page and click on openidp, then login. Click on "New Service Provider". 
* _hostname_ is your your server's hostname (e.g. {nl:https://example.ucla.edu} is example.ucla.edu).  {builder-hide}The hostname's DNS entry needs to exist and have been propagated, but your server itself does not have be publicly visible and can remain on a department/UC only subnet. {builder-hide}
* _name_ is just for casual human identification and can be whatever you will call the application.
* _Contact information_ is straightforward =)

Key and Certificate will be generated and posted on the screen. Save them into separate files on your Shibboleth SP server and reference them inside your shibboleth.xml file {nl:<CredentialsUse>} section.
{code:xml}
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
   <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
   <FileResolver Id="federation_creds">
   	<Key>
   		<Path>/conf/ssl.key/myhost.testshib.key</Path>
   	</Key>
   	<Certificate>
   		<Path>/conf/ssl.crt/myhost.testshib.crt</Path>
   	</Certificate>
   </FileResolver>
{code}

Testshib also generates Metadata about your SP. Get the metadata from [http://www.testshib.org/metadata/testshib-metadata.xml], save it in a file on your Shibboleth SP server and again reference it from shibboleth.xml, {nl:<MetadataProvider>} section.
{code:xml}
		<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
			uri="/etc/shibboleth/testshib-metadata.xml"/>
{code}

h4. _Testshib key & cert are meant for testing only. Do not use them in Production_

For more help modifying your shibboleth.xml file you can visit any of the install guides located [here|Shib1SPInstallConfigure].