Oxford Internal Federation

The Oxford Internal Federation is a service that allows Oxford-specific Shibboleth Service Providers (SPs) to authenticate users without being included in the public metadata published by the UK Access Management Federation.  This has some advantages including:

• Faster service provider registration.

  There is no longer a need to wait for the daily refresh of UK federation metadata.

• Reduced metadata file sizes.

  In Oxford, many colleges have set up print servers or meal booking systems that use Shibboleth for authentication.  These are of limited interest to non-Oxford users, but currently make up a sizeable part of the UK federation metadata file.  By placing these in the Internal Federation instead, the UK federation metadata file can be kept smaller, improving performance for all.

The Oxford Internal Federation is limited to sites within the ox.ac.uk domain that serve Oxford users only.  If you need to authenticate users from other universities, you will need to register your SP with the UK federation as usual.

When registering your SP using the IT self service, make sure you answer "Yes" to "Oxford users only" box and answer "No" to "Opt in to eduGAIN".  It would also help to add a note in the "additional information" box.

The SP configuration is largely the same as when setting up a normal service provider.  The only difference is that the MetadataProvider element in shibboleth2.xml should read:

        <MetadataProvider type="XML" uri="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>
        </MetadataProvider>

This means that only the Oxford Identity Provider (IdP)'s metadata will be loaded by your SP, which improves startup speed.

People running version 3 of the Shibboleth SP software will need to replace "uri=" with "url=" in the MetadataProvider element, i.e.:

        <MetadataProvider type="XML" url="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>
        </MetadataProvider>

The IdP-specific metadata is currently supplied by the UK federation, and so you will need to download and verify the UK federation metadata MDQ signing certificate.