Skip to content Skip to site navigation Skip to service navigation

SAML Identity Providers

University IT runs a production, load-balanced SAML Identity Provider (IdP) that is both a member of our own FarmFed federation and the InCommon federation.  

Use the information in either A or B below depending on whether the participating Service Provider is a member of InCommon or not.

A. Identity Provider Information for most Service Providers

Production

  • EntityID: https://idp.stanford.edu/
  • Metadata: IdP-only metadata
  • SAML X509 certificate: idp.crt
  • IDP is configured with kdc-prod*.stanford.edu, certcache.stanford.edu and ldap.stanford.edu

UAT

  • EntityID: https://idp-uat.stanford.edu/ (note: encryption on idp-uat is now SHA-256 only)
  • Metadata:  IdP-only metadata
  • SAML X509 certificate: idp-uat.crt
  • IDP-UAT is configured with kdc-prod*.stanford.edu, certcache.stanford.edu and ldap.stanford.edu

MAISUAT

  • EntityID: https://idp-maisuat.stanford.edu/ 
  • Metadata:  IdP-only metadata
  • SAML X509 certificate: idp-maisuat.crt
  • IDP-MAISUAT is configured with kdc-prod*.stanford.edu, certcache-uat.stanford.edu and ldap-uat.stanford.edu

MAISTEST

  • EntityID: https://idp-maistest.stanford.edu/ 
  • Metadata:  IdP-only metadata
  • SAML X509 certificate: idp-maistest.crt
  • IDP-MAISTEST is configured with kdc-prod*.stanford.edu, certcache-uat.stanford.edu and ldap-test.stanford.edu

B. Identity Provider Information for InCommon Service Providers

InCommon Service Providers must use urn:mace:incommon:stanford.edu for Stanford's IdP entityID. All other InCommon metadata should be downloaded directly from InCommon.

How to Validate Metadata

How to validate metadata for idp and idp-uat

The following MetadataProvider attempts to refresh the Stanford IdP-only metadata every two hours.

You are encouraged to validate the downloaded metadata against its metadata signing certificate. First fetch the Metadata Signing Certificate and check its integrity:

/usr/bin/curl -s https://samlmetadata.stanford.edu/mdsign_prod.pem | md5sum

	07da521394c85381866e669e33f385f0

Verify the md5 checksum as above.

Use that certificate (mdsign_prod.pem) to validate the idp metadata you downloaded

<MetadataProvider type="XML" url="https://login.stanford.edu/metadata.xml"

	backingFilePath="/var/tmp/metadata/login.stanford.edu-metadata.xml" reloadInterval="7200">

	<MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_prod.pem" />

	</MetadataProvider>
<MetadataProvider type="XML" url="https://login-uat.stanford.edu/metadata.xml"

	backingFilePath="/var/tmp/metadata/login-uat.stanford.edu-metadata.xml" reloadInterval="7200">

	<MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_prod.pem" />

	</MetadataProvider>
How to validate metadata for idp-maisuat and idp-maistest

For idp-maisuat and idp-maistest, we use a different set of signing key. The following MetadataProvider attempts to refresh the Stanford IdP-only metadata every two hours.

You are encouraged to validate the downloaded metadata against its metadata signing certificate. First fetch the Metadata Signing Certificate and check its integrity:

/usr/bin/curl -s https://samlmetadata.stanford.edu/mdsign_stage.pem | md5sum

8dfba5f4b8d4bdbfb26a83876df29127

Verify the md5 checksum as above.

Use that certificate (mdsign_stage.pem) to validate the idp metadata you downloaded

<MetadataProvider type="XML" url="https://login-maisuat.stanford.edu/metadata.xml"

backingFilePath="/var/tmp/metadata/login-maisuat.stanford.edu-metadata.xml" reloadInterval="7200">

<MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_stage.pem" />

</MetadataProvider>
<MetadataProvider type="XML" url="https://login-maistest.stanford.edu/metadata.xml"

backingFilePath="/var/tmp/metadata/login-maistest.stanford.edu-metadata.xml" reloadInterval="7200">

<MetadataFilter type="Signature" certificate="/etc/ssl/certs/mdsign_stage.pem" />

</MetadataProvider>
Last modified March 8, 2024