Child pages
  • Service Provider Proxy
Skip to end of metadata
Go to start of metadata


Since late 2010 TERENA runs a SimpleSAMLphp instance that acts as a service provider proxy (SPP). This allows multiple applications in the TERENA administrative domain to benefit from a single Identity Provider (IdP). Our goal is to connect as much of our services to this proxy.

The SP proxy has connections with lots of different Identity Providers (IdPs), including many guest providers:


At the moment these federated applications and services can be used through the SPP:

Depending on the nature of a service, not all IdPs might be available for it.

Get connected

If you would like to get your IdP listed, we are happy to exchange metadata with you.
Your IdP should release at least eduPersonTargetedID (urn:oid: or eduPersonPrincipalName (urn:oid: to us (both is also fine).

Other attributes, such as mail, givenName, sn and o are not strictly required, however without them services are crippled.

For instance without e-mail you won't be able to receive mail from FileSender or the wiki, and without givenName/sn you will appear as "First_name last_name".

So releasing them will greatly improve the user experience. We therefore recommend that you also release them.

To get going, send an e-mail to and include the following information:

1. EntityID

2. Medata URL

URL to the authoritative XML metadata for your IdP. This usually is a URL on your IdP. Depending on the software you are using this might be:

If your IdP is part of a federation, then it would make sense if you sent us the URL to a signed federation metadata batch. We can then cherry pick the appropriate entityIDs from that. Please make sure that the metadata contains enough information for your IdP to be useful, so at the bare minimum these attributes:

  • OrganizationName
  • OrganizationDisplayName (in English as well as your local language)
  • OrganizationURL
  • ContactPerson (with 'technial' contactType, and a working EmailAddress)

Please refer to for information about these attributes.

Our SP Proxy is configured to refresh metadata every 15 minutes.

3. Signing certificate

A URL or attached certificate is fine. This implies that the metadata is signed (which is the default configuration on IdPs, and always true for federations).

Our stuff

If your IdP runs SimpleSAMLphp

You can copy the PHP metadata from the bottom of, and paste it into your metadata/saml20-sp-remote.php


If your IdP runs Shibboleth

  • Make sure your IdP has access to a copy of our metadata. We recommend you use the "File Backed HTTP Metadata Provider" as listed on the Shibboleth wiki in your relying-party.xml.
  • Provided you already have the necessary attributes in your attribute-resolver.xml you only need to create the filter rules to actually release the data. The following example releases eduPersonPrincipalName, email:
 <AttributeFilterPolicy id="TerenaSPP">
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
        value="" />
    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="basic:ANY" />
    <AttributeRule attributeID="email">
        <PermitValueRule xsi:type="basic:ANY" />


For any matter related to TERENA's federated identity management, please contact <>.

Privacy Policy

  • No labels