Oxford Internal Federation

What is the Oxford internal federation?

The Oxford Internal Federation is a service that allows Oxford-specific Shibboleth Service Providers (SPs) to authenticate users without being included in the public metadata published by the UK Access Management Federation. This has some advantages including:

Faster service provider registration.
There is no longer a need to wait for the daily refresh of UK federation metadata.
Reduced metadata file sizes.
In Oxford, many colleges have set up print servers or meal booking systems that use Shibboleth for authentication. These are of limited interest to non-Oxford users, but currently make up a sizeable part of the UK federation metadata file. By placing these in the Internal Federation instead, the UK federation metadata file can be kept smaller, improving performance for all.

What services can use the Oxford internal federation?

How do I add my SP to the Oxford internal federation?

When registering your SP using the OSM Service Request, make sure you answer "Yes" to "Oxford users only" box and answer "No" to "Opt in to eduGAIN". It would also help to add a note in the "additional information" box.

The SP configuration is largely the same as when setting up a normal service provider. The only difference is that the MetadataProvider element in shibboleth2.xml should read:

        <MetadataProvider type="XML" uri="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>
        </MetadataProvider>

This means that only the Oxford Identity Provider (IdP)'s metadata will be loaded by your SP, which improves startup speed.

People running version 3 of the Shibboleth SP software will need to replace "uri=" with "url=" in the MetadataProvider element, i.e.:

        <MetadataProvider type="XML" url="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fregistry.shibboleth.ox.ac.uk%2Fidp"
             backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
                <MetadataFilter type="Signature" certificate="ukfederation-mdq.crt"/>
        </MetadataProvider>

Fetching the IDP metadata signing certificate

LINUX
WINDOWS

First, get the UK federation MDQ certificate:

sudo wget -O /etc/shibboleth/ukfederation-mdq.crt http://mdq.ukfederation.org.uk/ukfederation-mdq.pem

Check the fingerprint:

openssl x509 -fingerprint -in /etc/shibboleth/ukfederation-mdq.crt -sha256

and then contact the Federation Helpdesk http://www.ukfederation.org.uk/content/Documents/UKFederationHelpdesk to verify the MDQ certificate fingerprint.

First, download the latest 'ukfederation-mdq.pem' certificate, copy it into C:\opt\shibboleth-sp\etc\shibboleth (substitute your installation location if you chose a non-default location), and rename it to 'ukfederation-mdq.crt' (this will cause Windows to recognise the file as a certificate by an extension that it recognises). This digital certificate will be used to verify UK Federation digital signatures. You should verify the certificate fingerprint by right-clicking on the ukfederation-mdq.crt file in Windows Explorer and selecting 'Open'. When the Certificate dialogue box opens, click on the 'Details' tab and scroll down to the 'Thumbprint' entry. This fingerprint value must be confirmed offline with the UK Federation Helpdesk to ensure its validity and guard against the possibility of your web site being compromised.