Federation Registry

Federation Registry

Create a new Service Provider

To create a Service Provider you need the following:

  • Contact details for the Service Provider to advertise to the federation.
  • Common details such as the Organisation owning the service provider, a display name and description to advertise and explain the service to end users, the URL to access the service and optionally a service logo
  • The technology stack being used. If you are using Shibboleth you will only need the hostname. If using another implementation you will need to collect the URLS for all SAML 2 endpoints it supports
  • The Public Key your Service Provider will use to sign and encrypt assertions in the federation. This must have a CN that is equal to your Service Providers hostname and be self signed
  • A list of the attributes your Service Provider requires to operate. These are defined as 'required' and 'optional'. The fewer required attributes your service has the more Identity Providers you will be compatible with. Additionally a reason for requesting each attribute must be provided which will be presented to users to help them understand how the service will utilize their private data

With the above details ready we estimate this process will take around 20 minutes to complete.

1. Primary Contact

Please enter the details you wish to advertise to the federation as the primary contact for this service provider.

2. Service Provider Description

Please select the organisation this service provider belongs to and provide descriptive information below. This will be used in several locations throughout the federation.

3. SAML Configuration

The following information will be used by identity providers and end users alike to connect to your service provider.

Easy registration using defaults

For administrators of commonly used service provider software we've created an easy registration route. Simply select the software type and provide the URL of your service. e.g: https://sp.example.edu.hk.

    Shibboleth Service Provider (1.x)  Not available, please contact support.

OR

Advanced SAML 2 registration

Tweak the values created using the easy mode above or if you're using a different SAML 2 implementation all together provide your details from scratch here.

Index:
Binding: SAML:2.0:bindings:HTTP-POST
Index:
Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Redirect

Binding: SAML:2.0:bindings:SOAP

Binding: SAML:2.0:bindings:HTTP-POST

Binding: SAML:profiles:SSO:idp-discovery-protocol

Binding: SAML:2.0:bindings:HTTP-Artifact

Binding: SAML:2.0:bindings:HTTP-Redirect

Binding: SAML:2.0:bindings:SOAP

Binding: SAML:2.0:bindings:HTTP-POST

4. Public Key Certificate

The public key certificate details you provide below will be used for message signing and encryption between your service provider and identity providers in the federation. You should provide your public key certificate in PEM format to allow us to ensure the certificate is valid.

5. Requested Attributes

Please nominate the attributes this service requires to operate and mark them required if they form an absolute pre-requisite for your service to operate correctly. For each attribute you request a valid reason must be provided which will be reviewed by federation administrators before final approval.

Required attributes are those without which a service cannot function. Keep this list as small as possible for maximum compatibility with identity providers.

Name Category Requested Reason for requesting Required
commonName
oid:2.5.4.3

An individuals common name, typically their full name. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Core
displayName
oid:2.16.840.1.113730.3.1.241

Preferred name of a person to be used when displaying entries. This attribute should not be used in transactions where it is desirable to maintain user anonymity. 		Core
eduPersonAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.1

Specifies the persons relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. 		Core
eduPersonAssurance
oid:1.3.6.1.4.1.5923.1.1.1.11

This attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Providers identity management processes, type of auth credential used, binding strength, etc. 		Core
eduPersonPrincipalName
oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson per Internet2 and EDUCAUSE 		Core
eduPersonScopedAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.9

This attribute enables an organisation to assert its relationship with the user. 		Core
eduPersonTargetedID
oid:1.3.6.1.4.1.5923.1.1.1.10

A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities 		Core
mail
oid:0.9.2342.19200300.100.1.3

Preferred address for e-mail to be sent to this person 		Core
organizationName
oid:2.5.4.10

Standard name of the top-level organization (institution) with which the user is associated. 		Core
auEduPersonSharedToken
oid:1.3.6.1.4.1.27856.1.2.5

A unique identifier enabling federation spanning services such as Grid and Repositories 		Optional
businessCategory
oid:2.5.4.15

Business Caregory 		Optional
departmentNumber
oid:.16.840.1.113730.3.1.2

Department Number 		Optional
division
oid:1.2.840.113556.1.4.261

Division 		Optional
eduPersonEntitlement
oid:1.3.6.1.4.1.5923.1.1.1.7

Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community 		Optional
eduPersonOrcid
oid:1.3.6.1.4.1.5923.1.1.1.16

The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. 		Optional
eduPersonPrimaryAffiliation
oid:1.3.6.1.4.1.5923.1.1.1.5

Specifies the persons PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc. 		Optional
employeeNumber
oid: 2.16.840.1.113730.3.1.3

Numerically identifies an employee within an organization 		Optional
givenName
oid:2.5.4.42

Given name of a person 		Optional
homeOrganization
oid:1.3.6.1.4.1.25178.1.2.9

Users Home Organization 		Optional
homeOrganizationType
oid:1.3.6.1.4.1.25178.1.2.10

Type of Organization the user belongs too 		Optional
mobileNumber
oid:0.9.2342.19200300.100.1.41

Mobile phone number 		Optional
organizationalUnit
oid:2.5.4.11

Organizational Unit currently used for faculty membership of staff 		Optional
postalAddress
oid:2.5.4.16

Business postal address: Campus or office address 		Optional
schacHomeOrganization
oid:1.3.6.1.4.1.25178.1.2.9

The persons home organization using the domain of the organization. 		Optional
schacPersonalUniqueID
oid: 1.3.6.1.4.1.25178.1.2.15

Specifies a "legal unique identifier " for the subject it is associated with. 		Optional
surname
oid:2.5.4.4

Surname or family name 		Optional
telephoneNumber
oid:2.5.4.20

Office or campus phone number of the individual 		Optional
uid
oid: 0.9.2342.19200300.100.1.1

the users central LDAP directory username 		Optional

6. Service provider ready to be registered

You've now supplied all data required to register a new service provider. If you'd like to change anything or review your input please do so now. When you are ready to finalise your registration click the submit button below.