University IT runs a production, load-balanced SAML Identity Provider (IdP) that is both a member of our own FarmFed federation and the InCommon federation.
Use the information in either A or B below depending on whether the participating Service Provider is a member of InCommon or not.
A. Identity Provider Information for most Service Providers
Production
- EntityID: https://idp.stanford.edu/
- Metadata: IdP-only metadata
- SAML X509 certificate: idp.crt
- IDP is configured with kdc-prod*.stanford.edu, certcache.stanford.edu and ldap.stanford.edu
UAT
- EntityID: https://idp-uat.stanford.edu/ (note: encryption on idp-uat is now SHA-256 only)
- Metadata: IdP-only metadata
- SAML X509 certificate: idp-uat.crt
- IDP-UAT is configured with kdc-prod*.stanford.edu, certcache.stanford.edu and ldap.stanford.edu
MAISUAT
- EntityID: https://idp-maisuat.stanford.edu/
- Metadata: IdP-only metadata
- SAML X509 certificate: idp-maisuat.crt
- IDP-MAISUAT is configured with kdc-prod*.stanford.edu, certcache-uat.stanford.edu and ldap-uat.stanford.edu
MAISTEST
- EntityID: https://idp-maistest.stanford.edu/
- Metadata: IdP-only metadata
- SAML X509 certificate: idp-maistest.crt
- IDP-MAISTEST is configured with kdc-prod*.stanford.edu, certcache-uat.stanford.edu and ldap-test.stanford.edu
B. Identity Provider Information for InCommon Service Providers
InCommon Service Providers must use urn:mace:incommon:stanford.edu for Stanford's IdP entityID. All other InCommon metadata should be downloaded directly from InCommon.
How to Validate Metadata
- How to validate metadata for idp and idp-uat
-
The following MetadataProvider attempts to refresh the Stanford IdP-only metadata every two hours.
You are encouraged to validate the downloaded metadata against its metadata signing certificate. First fetch the Metadata Signing Certificate and check its integrity:
/usr/bin/curl -s https://samlmetadata.stanford.edu/mdsign_prod.pem | md5sum 07da521394c85381866e669e33f385f0
Verify the md5 checksum as above.
Use that certificate (mdsign_prod.pem) to validate the idp metadata you downloaded
<MetadataProvider type="XML" url="https://login.stanford.edu/metadata.xml" backingFilePath="/var/tmp/metadata/login.stanford.edu-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_prod.pem" /> </MetadataProvider>
<MetadataProvider type="XML" url="https://login-uat.stanford.edu/metadata.xml" backingFilePath="/var/tmp/metadata/login-uat.stanford.edu-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_prod.pem" /> </MetadataProvider>
- How to validate metadata for idp-maisuat and idp-maistest
-
For idp-maisuat and idp-maistest, we use a different set of signing key. The following MetadataProvider attempts to refresh the Stanford IdP-only metadata every two hours.
You are encouraged to validate the downloaded metadata against its metadata signing certificate. First fetch the Metadata Signing Certificate and check its integrity:
/usr/bin/curl -s https://samlmetadata.stanford.edu/mdsign_stage.pem | md5sum 8dfba5f4b8d4bdbfb26a83876df29127
Verify the md5 checksum as above.
Use that certificate (mdsign_stage.pem) to validate the idp metadata you downloaded
<MetadataProvider type="XML" url="https://login-maisuat.stanford.edu/metadata.xml" backingFilePath="/var/tmp/metadata/login-maisuat.stanford.edu-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_stage.pem" /> </MetadataProvider>
<MetadataProvider type="XML" url="https://login-maistest.stanford.edu/metadata.xml" backingFilePath="/var/tmp/metadata/login-maistest.stanford.edu-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_stage.pem" /> </MetadataProvider>
