The Shibboleth IdP UI is an easy-to-use management dashboard to work with the latest releases of the Shibboleth IdP. The new Shibboleth IdP UI dashboard allows users to create and update new service providers to be integrated with IdPs using a friendly graphical user interface. IdP operators can come up to speed and integrate services quickly with minimal training and provides you with an opportunity to delegate IdP management more broadly throughout your organization.
Setup Wizard
The Shibboleth IdP UI provides a wizard for adding or modifying creating service providers, metadata providers, and filters, which gives IdP staff and administrators the flexibility to modify existing IdPs. IdP staff will no longer need to understand the intricacies of multiple complex XML files and edit them just to integrate one new service.
Administrative Management
You can accomplish a significant portion of the IdP’s administrative management through Shibboleth IdPUI’s intuitive user interface, including post-installation modifications to Shibboleth IdP.
Integration Management
The Shibboleth IdP UI’s easy-to-understand dashboard and wizard provide the capability to integrate new service providers into the IdP, including managing the initial metadata setup and specifying special settings such as SP authentication overrides and attributes to be released.
Consistency with Shibboleth IdP Modifications
The most common and complex task IdP administrators need to deal with is the metadata and filter information that represent custom configurations of their IdP. Shibboleth IdP UI makes this easy, allowing staff to execute a onetime setup for the modification of selected IdP(s). This helps reduce the long-term maintenance and reduces operational costs.
Integrated Help
The Shibboleth IdP UI dashboard and wizard guide users to choose the right options by providing helpful information and tooltips throughout the setup process.
Security and Privacy Control
The Shibboleth IdP UI allows for the configuration of security policies for service providers such as encryption, signing and multi-factor configuration.
The Shibboleth IdP UI has five dashboard functions:
A Shibboleth IdP UI Administrator (Administrator) has the ability to view all of these.
Non-Administrator (ROLE_USER and ROLE_ENABLE) only have access to Metadata Source and Dynamic Registration dashboards. These users can only view sources and registration associated with their group.
Users belonging to groups that approve metadata sources and dynamic registrations created by other groups will have the Actions Required tab, but only have access to Approve Metadata Source and Approve Dynamic Registrations and only the sources and registrations created by the approvee's groups will be displayed.
Metadata sources in Shibboleth IdP UI are individual metadata artifacts describing single entities, typically relying parties. The Metadata Source Dashboard displays the metadata sources that have been created using the Shibboleth IdP UI application and with the following information:
On this screen the Administrator can perform the following functions:
Users can search for metadata sources by their title, entity ID, authentication code, or author. To perform a search:
NOTE: As you start typing in the search field, the list will reduce to show only those metadata sources that match what you have typed.
Administrators and users with ROLE_ENABLE can enable/disable metadata source. If the metadata source is added by a User, a request will be sent to enable the source. To enable a source from the Metadata Source Dashboard:
NOTE: You can also disable the metadata source by toggling the Enable switch to OFF.
Administrators can edit a metadata source's group association. To change a source's group association from the Metadata Source Dashboard:
Administrators can delete metadata sources that are currently disabled. To delete a source from the Metadata Source Dashboard:
NOTE: Once a metadata source has been enabled, it cannot be deleted. You will need to disable the source prior to deleting it.
The application can generate a metadata-providers.xml
configuration appropriate for use in the Shibboleth IdP. The Metadata Provider Dashboard displays the metadata provider that have been created using the Shibboleth IdP UI application and with the following information:
On this screen the Administrator can perform the following functions:
Administrators can search for metadata providers by their title, provider type, or author. To perform a search:
NOTE: As you start typing in the search field, the list will reduce to show only those metadata providers that match what you have typed.
Administrators can reorder the metadata providers list by following the steps below:
Administrators can enable/disable metadata source. To enable a provider from the Metadata Provider Dashboard:
NOTE: You can also disable the metadata provider by toggling the Enable switch to OFF.
The Dynamic Registration Dashboard displays the registrations that have been created using the Shibboleth IdP UI application and with the following information:
On this screen the Administrator can perform the following functions:
Users can search for dynamic registrations by their title, entity ID, authentication code, or author. To perform a search:
NOTE: As you start typing in the search field, the list will reduce to show only those metadata sources that match what you have typed.
Administrators and users with ROLE_ENABLE can enable/disable dynamic registrations. If the dynamic registrations is added by a User, a request will be sent to enable the registration. To enable a source from the Dynamic Registration Dashboard:
NOTE: Once a dynamic registration has been enabled, it cannot be switch to OFF or disabled.
Administrators can edit a dynamic registration's group association. To change a registration's group association from the Dynamic Registration Dashboard:
NOTE: Once a dynamic registration's group association has changed, the registration is removed from the view of the original group's members, including the author.
Administrators can delete dynamic registrations that are currently disabled. To delete a registration from the Metadata Source Dashboard:
NOTE: Once a dynamic registration has been enabled, it cannot be deleted.
The Admin dashboard displays the Shibboleth IdP UI users and the following information about them:
There are three basic user roles in Shibboleth IdP UI:
On this screen the Administrator can perform the following functions:
The Administrator can assign users to different role. To reassign a user to a new role:
NOTE: The Role dropdown menu is populated with the roles in the system, including any custom roles the Administrator has defined.
The Administrator can assign users to different groups. To reassign a user to a new group:
NOTE: The Group dropdown is populated with the groups in the system, including any custom group the Administrator has defined.
The Administrator can delete a user account from Shibboleth IdP UI. To remove a user:
The Action Required Dashboard provides the Administrator with five types of notifications:
The Enable Metadata Sources section within the Action Required tab is only available to the Administrators. Administrators can perform the following actions from the Enable Metadata Sources section:
To access a metadata source configurations from the Action Required dashboard:
To enable a metadata source from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Metadata Source Dashboard to verified the metadata source has been enabled.
NOTE: If the metadata source has not been approved, enabling it will do both, approve and enable it.
To delete a metadata source from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Metadata Source Dashboard to verified the metadata source has been deleted.
The Approve Metadata Sources section within the Action Required tab is available to the Administrators and members of groups with the authority to approve other groups' metadata source. Users can perform the following actions from the Approve Metadata Sources section:
Administrators can also perform the following action from the Approve Metadata Sources section:
To access a metadata source configurations from the Action Required dashboard:
To approve a metadata source from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Metadata Source Dashboard to verified the metadata source has been approved.
To delete a metadata source from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Metadata Source Dashboard to verified the metadata source has been deleted.
The Enable Dynamic Registrations section within the Action Required tab is only available to the Administrators. Administrators can perform the following actions from the Enable Dynamic Registrations section:
To access dynamic registration configurations from the Action Required dashboard:
To enable a dynamic registration from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Dynamic Registration Dashboard to verified the registration has been enabled.
NOTE: If the dynamic registration has not been approved, enabling it will do both, approve and enable it.
The Approve Dynamic Registrations section within the Action Required tab is available to the Administrators and members of groups with the authority to approve other groups' dynamic registration. Users can perform the following actions from the Approve Dynamic Registrations section:
To access a dynamic registration configurations from the Action Required dashboard:
To approve a dynamic registration from the Action Required dashboard:
A success message is displayed and the items is removed from the list. Return to the Dynamic Registration Dashboard to verified the registration has been approved.
Users can be added using two methods. The first method is to include the users in the user file during application deployment. The second method is to insert your IdP in front of the Shibboleth IdP UI application. You can publish a link to individuals you would like to use the application. When they receive the link, they can sign in to the application. The first time a user accesses the application, the user will see a "user request received" notification as shown below, and the new user will be displayed on the administrator Action Required dashboard as shown below:
Once a new user request has been received, the Administrator can assign a role or delete the request.
The User Access Request section within the Action Required tab is only available to the Administrators. Administrators can perform the following actions from the User Access Request section:
To assign a new role to a user from the Action Required dashboard:
The role will be assigned to the user, the User Access Request is removed from the list, and a success message is displayed.
To delete the user request from the Action Required dashboard:
The request is deleted, the User Access Request is removed from the list, and a confirmation message is displayed.
The Shibboleth IdP UI provides capabilities for the creation of metadata sources, metadata providers, and dynamic registrations. The Administrator has the ability to create all of these while non-Administrator users can only create metadata sources and dynamic registrations.
There are three method for adding a metadata source:
To create a metadata source using Security Assertion Markup Language (SAML) protocol:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Organization information:
User Interface / MDUI information:
SP SSO descriptor information:
Logout endpoints:
Security information:
Assertion consumer services:
Relying party overrides:
Attribute release:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
To create a metadata source using OpenID Connect (OIDC) protocol:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Organization information:
User Interface / MDUI information:
SP SSO descriptor information:
Logout endpoints:
Security information:
Assertion consumer services:
Relying party overrides:
Attribute release:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
To upload a metadata source:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Note: You can only import a file with a single entityID (EntityDescriptor element) in it. Anything more in that file will result in an error.
All data will be retrieved from the metadata file and the newly uploaded source will appear on the Metadata Source Dashboard.
To create a metadata source using a URL:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
To copy an existing metadata source:
Click the Save button.
There are five types of metadata providers:
To create a file backed HTTP metadata provider:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Common Attributes:
Reloading Attributes:
Metadata Filter Plugins:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
To create a file system metadata provider:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Common Attributes:
Dynamic Attributes:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
To create a local dynamic metadata provider:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Common Attributes:
Dynamic Attributes:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
To create a dynamic HTTP metadata provider:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Common Attributes:
Dynamic Attributes:
Metadata Filter Plugins:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
To create an external metadata resolver:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
NOTE: If the user navigates away from the wizard prior to saving, the user will be notified that any unsaved changes will be discarded. Therefore, it is necessary to complete the new metadata source wizard in order to save a new metadata source to the database.
Once saved, an Administrator also has the ability to enable the metadata provider for use in an IdP.
The Shibboleth IdP UI has been configured to communicate to the Shibboleth OIDC plugin's API using dynamic registration.
Dynamic registration supports the following standard client metadata fields are currently supported:
For additional information regarding Dynamic Registrations visit the OPDynamicClientRegistration Confluence page.
To create a dynamic registration in the Shibboleth IdP UI:
NOTE: On this page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Each input on the form has a tooltip that provides additional information about the corresponding item:
When you click a metadata source's title, the Source Configuration screen is opened. This page displays the following common information for the metadata source:
On this screen the Administrator can perform the following functions:
Administrators can edit a metadata source's group association. To change a source's group association from the Metadata Source Configuration page:
NOTE: Once a metadata source group association has changed, the source is removed from the view of the original group's members, including the author.
To enable a source from the Metadata Source Configuration page:
NOTE: The source will show Enabled now and the button has changed to Disable.
To delete a source from the Metadata Source Configuration page:
NOTE: A confirmation modal is displayed.
NOTE: Once a metadata source has been enabled, it cannot be deleted. You will need to disable the source prior to deleting it.
The Version History page displays all of the versions that were saved for the metadata source. To access a source's version history from Metadata Source Configuration page:
The Version History screen is displayed:
The following actions can be initiated from this page:
To compare versions of a metadata source from the Version History page:
When two or more versions are selected to compare, the Compare Source Configuration will be displayed. This display shows all data fields for the metadata source and highlights the fields that are different between the versions.
An additional option is available by toggling the View Only Changes field. The page displayed will display only the fields that have changed.
To restore a metadata source to a previous version from the Version History page:
Once you click the Save button, a new version is created and the configuration page is displayed. The new version contains the information that was saved for the version selected.
To display a source's XML version from Metadata Source Configuration page:
To edit the source's options from Metadata Source Configuration page:
When you click the Edit link in the Source Configuration page, the section you selected to edit is displayed on the page. The link in the left navigation is highlighted indicating the section displayed.
Make your desired edits for this section and or click on other sections to make edits to their fields.
Click the Save button.
NOTE: Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
When you click a metadata provider's title, the Provider Configuration screen is opened. This page displays the following common information for the metadata provider:
On this screen the Administrator can perform the following functions:
The Version History page displays all of the versions that were saved for the metadata provider. To access a source's version history from Metadata Provider Configuration page:
The Version History screen is displayed:
The following actions can be initiated from this page:
To compare versions of a metadata source from the Version History page:
When two or more versions are selected to compare, the Compare Provider Configuration will be displayed. This display shows all data fields for the metadata provider and highlights the fields that are different between the versions.
An additional option is available by toggling the View Only Changes field. The page displayed will display only the fields that have changed.
To restore a metadata provider to a previous version from the Version History page:
Once you click the Save button, a new version is created and the configuration page is displayed. The new version contains the information that was saved for the version selected.
There are three types of filters you can add to a metadata providers:
To add an EntityAttributes filter to a metadata provider from Metadata Provider Configuration page:
NOTE: Each input on the form has a tooltip that provides additional information about the corresponding item:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Filter Target:
Options:
Attributes:
To add an EntityAttributes filter to a metadata provider from Metadata Provider Configuration page:
NOTE: Each input on the form has a tooltip that provides additional information about the corresponding item:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Filter Target:
Options:
Attributes:
To add an EntityAttributes filter to a metadata provider from Metadata Provider Configuration page:
NOTE: Each input on the form has a tooltip that provides additional information about the corresponding item:
NOTE: On each page, fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Filter Target:
Options:
Attributes:
To reorder filters from Metadata Provider Configuration page:
To enable filters from Metadata Provider Configuration page:
NOTE: You can also disable the metadata provider by toggling the Enable switch to OFF.
To delete filters from Metadata Provider Configuration page:
Make your desired edits for this section and or click on other sections to make edits to their fields.
NOTE: Filters do not have a separate version number to select from version history. When metadata provider versions are selected, the filters corresponding to each metadata provider version selected are displayed below the metadata provider data at the bottom of the page.
The order of the filters may not be the same for each metadata provider. Click the checkbox next to the corresponding filters (same filter name) to compare the values for the filter. The differences will the be displayed.
To delete filters from Metadata Provider Configuration page:
To display a source's XML version from Metadata Source Configuration page:
To edit the source's options from Metadata Source Configuration page:
When you click the Edit link in the Source Configuration page, the section you selected to edit is displayed on the page. The link in the left navigation is highlighted indicating the section displayed.
Make your desired edits for this section and or click on other sections to make edits to their fields.
Click the Save button.
NOTE: Multiple sections can be modified prior to selecting Save and the modifications for all sections will be saved.
When you click the Edit link in the Provider Configuration page, the section you selected to edit is displayed on the page. The link in the left navigation is highlighted indicating the section displayed. The following functions can be performed on this page:
In addition to editing the information that was included during the add process for a metadata provider, Advanced Settings may also be modified. Click the Advanced Settings link in the left navigation and toggle the switch at the top of the page to unlock the fields for editing.
Note: Advanced Settings are an advanced function and should not normally need to be modified.
When you click a dynamic registration's title, the Dynamic Registration Configuration screen is opened. This page displays the following common information for the Dynamic Registration:
On this screen the Administrator can perform the following functions:
Administrators can edit a dynamic registration's group association. To change a registration's group association from the Dynamic Registration Configuration page:
Administrators can edit a dynamic registration's group association. To change a registration's group association from the Dynamic Registration Configuration page:
NOTE: Once a dynamic registration group association has changed, the registration is removed from the view of the original group's members, including the author.
To enable a registration from the Dynamic Registration Configuration page:
NOTE: The source will show Enabled now and the button has changed to Disable.
To delete a registration from the Dynamic Registration Configuration page:
NOTE: A confirmation modal is displayed.
NOTE: Once a dynamic registration has been enabled, it cannot be deleted.
To edit a registration from the Dynamic Registration Configuration page:
Make your desired edits for this section and or click on other sections to make edits to their fields.
Click the Save button.
The Shibboleth IdP UI has five Advanced functions:
Custom Entity Attributes can be added by an administrator. These attributes become options on the Relying Party Overrides section when configuring a Metadata Source or an Entity Attributes Filter. The Custom Entity Attributes screen displays the custom entity attributes created in the Shibboleth IdP UI application and has the following information about them:
On this screen the Administrator can perform the following functions:
Create a new attribute
To create a custom entity attribute:
NOTE: The fields that require information to be entered are denoted by a '*' at the end of the description for the field.
Name: The name of the entry used to uniquely identify this entry.
Each input on the form has a tooltip that provides additional information about the corresponding item:
Attribute Type: The type to use when displaying this option.
It is possible to create the following types of Entity Attributes:
-String (simple plain text)
-Boolean (allows options to store as a string or boolean value)
-List (list of strings with a default option)
-Long (stored as a string)
-Double (stored as a string)
-Duration (stored as a string in the ISO-8601 duration format) example: PT1H
-Spring Bean ID (stored as a string)
-Default Value: One or more values to be displayed as default options in the UI
-Persist Type: Optional. If it is necessary to persist something different than the override's display type, set that type here. For example, display a boolean, but persist a string.
-Persist Value: Required only when Persist Type is used. Defines the value to be persisted.
Attribute Friendly Name: This is the friendly name associated with the above attributeName.
Attribute Name: This is the name of the attribute to be used in the xml. This is assumed to be a URI.
Display Name: This will normally be the label used when displaying this override in the UI.
Help Text: This is the help-icon hover-over text.
Once the custom entity attribute has been created, the attributes will appear as an option on:
To edit a custom entity attribute:
Make your desired edits and click the Save button.
To create a custom entity attribute:
The Attributes Bundles screen displays the attributes bundles created in the Shibboleth IdP UI application and has the following information about them:
On this screen the Administrator can perform the following functions:
Create a new bundle attribute
Attribute Release bundles can be created as a convenience feature for metadata creators. This allows an administrator to select from the list of custom attributes defined in the `application.yml` file.
To create an attribute bundle:
Mouse over the list of bundled attributes will display the full list of attributes defined in the bundle, in case the list is too long to display in the bundle list table.
Once the attributes bundle has been created, a user can select these bundles when creating a new metadata source, dynamic registration, or entity attributes Filter. On the Attribute Release page, the bundles are displayed above the list of attributes. Clicking the Select Bundle button to the right of the bundle name will select the checkboxes below for the attributes in that bundle. This allows the user to select multiple attributes:
Groups can be defined by an administrator using the Groups page. Metadata sources, dynamic registrations, and users can belong to a group, and each user may have a role within the context of that group. When a user is created in the system, they are added by default to their own user group which is generated at the same time, unless a specific group is specified. When a metadata source or dynamic registration is created, that source or registration is added to the creator's group.
On the Groups Management screen, the Administrator can perform the following functions:
To create a group:
NOTE: The URL validation regular expression and Approvers sections are optional.
NOTE: During the metadata source creation process, the Entity ID and any assertion consumer service endpoint URLs will be restricted to matching the URL validation regular expression defined for the members's group. For example, here is a failed validation on the Entity ID:
Once it has been corrected, the user can proceed with their metadata source definition:
Similarly, when defining Assertion Consumer Service Endpoints, the URL will be validated against the group's RegEx:
And once it is successful, the user can proceed with their metadata source definition
NOTE: This provides an additional level of approval for metadata sources and dynamic registrations, granting the approver group(s) the authority to approve an un-enabled Metadata Source.
Metadata sources and dynamic registrations belonging to a group that has approval groups assigned to it cannot be enabled by a delegated enabler until it has been approved by a user from one of the approval groups.
The Groups Management page is displayed, the new group has been added to the list, and a success message is displayed.
There are three basic user roles in Shibboleth IdP UI:
On the Role Management screen the Administrator can perform the following functions:
Create a new role
The Administrator can create custom roles to apply to users. These custom roles define the user's capability within the group.
To create a custom role:
The Role Management page is displayed, the new role has been added to the list, and a success message is displayed.
At this point, if the Administrator navigates to the Dashboard → Admin tab and clicks in one of the Role menu, the new role will be displayed:
To Edit a role:
NOTE: ROLE_ADMIN cannot be edited or deleted as this role is required by the system.
To create a role:
The Shibboleth IdP UI has built a registry of all supported properties. Administrator can create Shibboleth configuration sets to group these properties for different Shibboleth instances/environments. For example: Development, QA, Productions.
On the Manage Shibboleth configurations screen the Administrator can perform the following functions:
Create a new configuration set
To create a configuration set:
NOTE: Once a property has been added, the option is removed from the Add properties menu.
Once a configuration set has been created, the files from the set can be downloaded in two ways:
To edit a configuration set:
The Edit configuration set screen is displayed. Here the Administrator can:
-Edit the Name field
-Add or remove properties
-Edit the Value field for the selected properties
To edit a configuration set:
End of User Guide