Reference Identity Provider

GTRI deployed two reference IDPs in the pilot federation. Both IDPs are based on the Shibboleth 2.x implementation of SAML 2.0. One of the reference IDPs is deployed on a Microsoft Windows platform, the other on Red Hat Enterprise Linux (RHEL). There is no functional difference between a Shibboleth IDP running on Windows and one running on RHEL; however, the deployment processes for a Shibboleth IDP on each platform are different enough to merit the task of working through each and documenting them separately. During and after the deployment process, GTRI created a detailed set of instructions for deploying a Shibboleth IDP on each platform.

Both IDPs address two integration issues. The first is the Single Sign-On Integration Point, which involves the integration of the IDP with the local site's user authentication system, and the other is the Attribute Authority Integration Point, which involves connecting the IDP to the local site's attribute repository.

During the deployment of the reference IDPs, the Windows-based reference IDP was integrated with a username/password authentication system, and the RHEL-based reference IDP was integrated with a PKI-based client certificate authentication system. At the Attribute Authority Integration Point, both reference IDPs were connected to a reference LDAP repository.

Since their deployment, it has become clear that both reference IDPs are very useful during the process of deploying new SPs. They contain a large number of test identities that are designed to allow for testing a wide variety of metadata attributes. Additional credentials for test accounts on each reference IDP can be provided to new participants, and these test accounts have repeatedly proven to be a valuable resource for participants who have brought their SPs online.

Some of the current participants continue to maintain their reference IDPs online on a full- or part-time basis. For example, CISA maintains its reference IDP (a full test copy of its production IDP) for its testing use. On request, CISA administrators and users can test other participants' reference SPs with their reference IDPs.

Other reference IDPs are occasionally available in the GFIPM Reference Federation. These IDPs belong to other participants and can be used only by the users of those participants.

A representative list of reference IDPs can be seen in the drop-down menu in the following illustration.

Screen Shot of a List of Available Reference IDPs