Shibboleth für eigene Webanwendungen

To use Shibboleth authentication in your own web application, you must also install Shibboleth software that contains the so-called shibd (Shibboleth Daemon), unless the application natively supports Shibboleth/SAML authentication. See the DFN-AAI instructions for this:

  https://wiki.aai.dfn.de/de:shibsp

Shibboleth for Applications of LMU, TUM and BAdW

Recording in the AAI Federation

In order for identity providers (IdP) to trust the new service provider (SP), its metadata must be recorded

The metadata contains, among other things, the certificate of the SP, the URLs for the service endpoints as interfaces between IdP and SP, and contact information.

To record your SPs in the federation, please give the following data to the LRZ Servicedesk (Service "Benutzerverwaltung und Authentisierung"):

  • Organisational Matters:
    • Shibboleth EntityID as configured in the SP (e.g. "https://abstimmung.semesterticket-muenchen.de/shibboleth")
    • Displayname of the web service (e.g. "Abstimmung über das Semesterticket in München",  "TUM Mathematischer Kalender", "LMUcast für iTunesU"), in German and English englisch
    • Short description of the web service (1-2 lines), in German and English
    • URL of the information page/website of the institution or company, in German and English
    • URL of the privacy statement of your web service, in German and English
    • URL of a logo of your web service, width 64-240 pixels and height 48-180 pixels, transparent background (if possible)
    • Helpdesk URL and e-mail address (e.g. "TUM IT-Support", "LMU IT-Servicedesk")
    • Name and e-mail address of a contact persons for
      1. for the technical administration of the SP,
      2. for the suppport of the web service, and
      3. for security incidents

    •  Indication of the users:
      • persons of the own univerity only?
        - or persons of other organizations as well?
      • persons with a more accurately checked identity (employees with contract, enrolled students)?
        - or applicants, guets, cooperation partners etc. with a valid account as well?
  • Technology
    • URL from which the Shibboleth metadata of the SP can be retrieved
      This URL typically has the form
      "https://abstimmung.semesterticket-muenchen.de/Shibboleth.sso/Metadata"
      and is available after the installation of the Shibboleth SP software on your web server.
      -- R --
    • Server certificate of the web service and
      Service endpoints: type und URL of the Shibboleth NameID services and Assertion Consumer services and  Single-Logout services that the Shibboleth SP supports, e.g.
       urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
       → "https://abstimmung.semesterticket-muenchen.de/Shibboleth.sso/SAML2/POST"

  • Data Protection
    • Confirmation that the web service is run on a TUM/LMU/BAdW system and only uses anonymous data for login and mapping of existing profiles (die sog. eduPersonTargetedID).
      - OR -
    • the list of attributes (personal data) that the web servcie requests from the IdP and that need to be released in TUM/LMU/BAdW-IdP for your web service,
      (personal data are, among others, the user account/LRZ account, name, e-mail address,  organizational affiliation, sex);
      plus the confirmation that the web serviceass für den Webdienst is listed in the register of processing activities according to § 30 General Data Protection Regulation (GDPR) within your organization and covers the processing of the attributes requested.
      A list of the attributes that are available from the IdPs can be found at:

Server Certificate

Your SP needs a certificate for the SAML communication with the IdPs in the AAI federation(s). Certificates suitable for this purpose are described in

https://doku.tid.dfn.de/de:certificates

You may use the server certificat that you already have for your web server, or a separate certifikat for the SAML communication.

 → NEW 2022: You may use a self-signed certificate, max. validity 39 months.

Local PKIs/registration authorities (RA) from where you can obtain a certificate are:

Ideally, the certificate should contain the Client-Auth flag. So in this case, do not request a web server certificate, but a Shibboleth-IdP/SP certificate, see e.g.. http://www.lrz.de/services/pki/wieman/

After your SP has been recorded in the desired federation (notification from the servicedesk), please enter the following URL for the metadata provider in the file shibboleth2.xml in the attribute "uri":

Certificate Roll-over

Before the server certificate for SAML communication expires, it must be replaced in the SP configuration and in a coordinated manner in the AAI federation. The AAI federations do not retrieve new SP certificates via their metadata URLs. Rather, you must send the new certificate to the LRZ Service Desk (Service "Benutzerverwaltung und Authentisierung") in advance. The certificate change can then take place without interruption as described on

https://doku.tid.dfn.de/de:certificates#zertifikatstausch

Shibboleth or Applications of Other Institutions

For the Shibboleth connection of web services that are operated in insititutions other than TUM, LMU or BAdW, please write to the contact person found in the list

https://tools.aai.dfn.de/entities/

If your institution is not listed there, it must first conclude a DFN-AAI contract with DFN-Verein, and if necessary also a first DFN framework contract.