Technical information about SSO
Connection of applications - SAML

To connect a SAML 2.0 service provider, we require the following information from you:

  • EntityID
  • Metadata in XML format
  • TU ID of a contact person
  • Functional contact address, if applicable
  • Attributes to be released

Known software

Some software solutions have SAML functionality built in.

In addition, existing software can also be extended with SAML authentication by configuring the web server.

To this end, service providers (SP) based on the following software have already been successfully connected to our identity provider (IdP):

Shibboleth Service Provider

SimpleSAMLphp

Technical information about the IdP

We publish the currently valid metadata of the IdP in the local metadata of the DFN. You can find this at https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml. You can also enter this URL in your SP.

SAML communication is further secured by a self-signed certificate. This can be found in the metadata.

The EntityID of the IdP is as follows:

  • Production: https://idp.hrz.tu-darmstadt.de/idp/shibboleth
  • Test environment: https://idp-test.hrz.tu-darmstadt.de/idp/shibboleth

To connect a SAML SP to our IdP, the SP must meet the following requirements.

  • The EntityID must begin with https://<hostname>.
  • <hostname> must be a globally resolvable hostname.
  • In the test environment, <hostname> may also end with ‘.tu-darmstadt.de.test’.

The SP does not necessarily have to be accessible from the IdP in terms of network technology. In some cases, it may even be advisable for the SP to be protected by a firewall, for example. Nevertheless, accessibility makes testing considerably easier.

We recommend using self-signed certificates to secure SAML communication. The certificates may have a maximum validity of three years.

We recommend making the metadata available via HTTPS so that we can integrate it dynamically. This allows you to change the certificate yourself.

If this is not possible, for example due to firewall restrictions, you can also send us the metadata by email. We will then integrate it directly. Please note, however, that in this case, all changes to the metadata must also be made manually.