Shibboleth at NC State » Technical Documentation » Planning For a New SP

Planning For a New Service Provider

These are some of the things you should consider before you start setting up a new Shibboleth Service Provider.

The SP software must run on each of your webservers

Are you prepared to install a copy of the SP software on each server? If not, are you comfortable with setting up and running a proxy service in front of your webservers to handle the authentication?

Are you running SSL on your hosts?

The SP will set its handler on your server at the URL path /Shibboleth.sso. The Identity Provider will redirect the client browser to POST its authentication messages to your handler at this URL.

If that URL is, then the redirected POST will come from an https URL, and be sent to an http URL. Most browsers will generate a warning at this point, and the user must click through the warning to continue.

If possible, you should run your handler on SSL, that is, at This should not cause any problems even if the rest of your web content is not running under SSL. The local SP session cookies can still be allowed on your site.

How many hosts do you plan to setup?

If you are running a single host / single application on your webserver and don't plan to expand the service, then you can proceed with one new SP Entity.

If you are planning to run multiple departmental hosts with the same attributes, or you are looking to load balance with multiple servers per host, then you should consider host you want to scale the SP services. Review the linked document and decide if you need one or more SP Entities to cover your services.

Which Federation?

For most service providers, the answer is going to be NCSU Federation. Our federation will give you access to our local Identity Provider to authenticate NC State Unity users. If you are just getting started, even with another Federation in mind, you may want to start with NCSU Federation during development and then migrate to one of the others.

Service providers that require authentication from other UNC-System schools will need to register with the UNC Identity Federation.

Service providers that want to authenticate with many other institutions will need to join the InCommon Federation.

If you are purchasing a 3rd-party service that supports Shibboleth, then they may already have a registered entity with Incommon Federation. Or, they may need us to setup a new entity for them in NCSU Federation.

Which attributes do you need?

You should only ask for those attributes that you need to run your services. You should be prepared to explain why you need them and how you plan to protect that data against the possibility of a server compromise.

Review the list of attributes available from our IdP.

Most services want the UnityID, so they ask for eduPersonPrincipalName or EPPN. At NC State, that is attribute is always "".

If you are planning to connect with other IdPs through other federations, you will need to negotiate an attribute release with each of those other entities. We can only control the release of attributes from the NC State IdP.

Next Step

When you have made your plans, the next step is Installing the SP Software.