Skip to content

IT Lab IdP

Test It!

Test this IdP by logging into the Test SP.

Test Users

There are three test users available on this IdP:

UsernamedisplayNameeduPersonAffiliationeduPersonPrincipalName
janeJane Stanfordfacultyjane@itlab.stanford.edu
lelandLeland Stanfordstaffleland@itlab.stanford.edu
lelandjrLeland Stanford, Jrstudentlelandjr@itlab.stanford.edu

Each account has the same password: stanford

Logging in as any of these users will return an assertion to your SP similar to the ones that are released from the production IdPs.

SP Configuration

You will need to download or link to the metadata for this IdP at [https://login.itlab.stanford.edu/idp/shibboleth].

Unlike our production IdP, this service does not require metadata for your SP. Your SP metadata will be required to move to production

Here is a sample shibboleth2.xml configuration file. Replace YOUR-ENTITY-ID with the URL for your app's home page (e.g. https://webapp.itlab.stanford.edu/) and YOUR-EMAIL with your, or your team's, email address.


<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">

  <ApplicationDefaults entityID="YOUR-ENTITY-ID" REMOTE_USER="eppn">

    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
              checkAddress="false" handlerSSL="true"
              cookieProps="; path=/; secure; HttpOnly">

      <SSO entityID="https://weblogin.itlab.stanford.edu/idp/shibboleth">
        SAML2
      </SSO>

      <Logout>Local</Logout>

      <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

    </Sessions>

    <Errors supportContact="YOUR-EMAIL-ADDRESS"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

    <MetadataProvider type="XML" reloadInterval="7200"
                      uri="https://metadata.itlab.stanford.edu/itlab-idp.xml"
                      backingFilePath="/var/cache/shibboleth/itlab-idp.xml"/>

    <AttributeExtractor type="XML" validate="true"
                        reloadChanges="false" path="attribute-map.xml"/>

    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

  </ApplicationDefaults>

  <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

  <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

Generate a self-signed certificate using the openssl command line. Replace YOUR-HOST-NAME with the fully qualified name of your host (or the loadbalancer in front of a cluster):


% openssl req -x509 -newkey rsa:2048 -keyout sp-key.pem -out sp-cert.pem -nodes \
> -days 3650 -subj /CN=YOUR-HOST-NAME
Generating a 2048 bit RSA private key
...............+++
.............................................................................+++
writing new private key to 'sp-key.pem'
-----

Verifying Metadata

The IT Lab IdP metadata is signed; you can follow these instructions to configure metadata signature verification.