Oxford Internal Federation

Expand All

The Oxford Internal Federation is a service that allows Oxford-specific Shibboleth Service Providers (SPs) to authenticate users without being included in the public metadata published by the UK Access Management Federation.  This has some advantages including:

  • Faster service provider registration.

    There is no longer a need to wait for the daily refresh of UK federation metadata.

  • Reduced metadata file sizes.

    In Oxford, many colleges have set up print servers or meal booking systems that use Shibboleth for authentication.  These are of limited interest to non-Oxford users, but currently make up a sizeable part of the UK federation metadata file.  By placing these in the Internal Federation instead, the UK federation metadata file can be kept smaller, improving performance for all.

The Oxford Internal Federation is limited to sites within the ox.ac.uk domain that serve Oxford users only.  If you need to authenticate users from other universities, you will need to register your SP with the UK federation as usual.

When registering your SP using the IT self service, make sure you answer "Yes" to "Oxford users only" box and answer "No" to "Opt in to eduGAIN".  It would also help to add a note in the "additional information" box.

The SP configuration is largely the same as when setting up a normal service provider.  The only difference is that the MetadataProvider element in shibboleth2.xml should read:

        <MetadataProvider type="XML" uri="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>

This means that only the Oxford Identity Provider (IdP)'s metadata will be loaded by your SP, which improves startup speed.

People running version 3 of the Shibboleth SP software will need to replace "uri=" with "url=" in the MetadataProvider element, i.e.:

        <MetadataProvider type="XML" url="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>

The IdP-specific metadata is currently supplied by the UK federation, and so you will need to download and verify the UK federation metadata MDQ signing certificate.

First, get the UK federation MDQ certificate:

sudo wget -O /etc/shibboleth/ukfederation-mdq.crt http://mdq.ukfederation.org.uk/ukfederation-mdq.pem

Check the fingerprint:

openssl x509 -fingerprint -in /etc/shibboleth/ukfederation-mdq.crt -sha256

and then contact the Federation Helpdesk http://www.ukfederation.org.uk/content/Documents/UKFederationHelpdesk to verify the MDQ certificate fingerprint.


First, download the latest 'ukfederation-mdq.pem' certificate, copy it into C:\opt\shibboleth-sp\etc\shibboleth (substitute your installation location if you chose a non-default location), and rename it to 'ukfederation-mdq.crt' (this will cause Windows to recognise the file as a certificate by an extension that it recognises). This digital certificate will be used to verify UK Federation digital signatures. You should verify the certificate fingerprint by right-clicking on the ukfederation-mdq.crt file in Windows Explorer and selecting 'Open'. When the Certificate dialogue box opens, click on the 'Details' tab and scroll down to the 'Thumbprint' entry. This fingerprint value must be confirmed offline with the UK Federation Helpdesk to ensure its validity and guard against the possibility of your web site being compromised.

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support