Before setting up a new service provider
-
Before setting up a new Shibboleth service provider, make sure that the websites or web application you want to protect can actually be protected in this way. If you are unsure, please ask the developers of the respective websites or web applications.
-
Find out about Shibboleth's "distributed" and "federation authentication and authorization system". Make sure you know what a "federation" is, how users are "authenticated" and "authorized" by a Shibboleth identity provider and a Shibboleth service provider, and how Shibboleth service providers protect access to websites and web applications (see https://www.aai.dfn.de/index.en.html).
-
Get to know the different DFN-AAI federations and your service provider's requirements (see https://www.aai.dfn.de/index.en.html).
-
Please note that the Shibboleth service provider only works with an Apache web server. We cannot provide support for SAML alternatives (e.g. OpenAthens, OpenAM, SimpleSAMLPhp, etc.).
-
Please also find out whether authorization attributes are actually required to protect the respective websites or web applications. If you are unsure, please ask the corresponding developers which authorization attributes are required.
-
Consider the group of users who will have access to the websites or web applications protected with your service provider.
-
Please note that it is advantageous to have a test system in addition to your production system. This makes it possible to quickly and reliably implement any future changes in the communication between your service provider and the university's identity provider.
Setting up service providers:
- Request a server certificate with the Shibboleth certificate profile.
- Install the Shibboleth service provider software (DFN instructions in German)
- Request integration into a federation
The Shibboleth team will contact you and work with you to set up your service provider.