Skip to main content

Configure Entra ID for TAMUFederation

tip

All identity providers must assert the tamuEduPersonUIN attribute in order to access Texas A&M System resources. See the Texas A&M University Identity Security Docs for more information.

A word of caution

The instructions below are not applicable for members that are already published in and consume the InCommon Federation metadata aggregate with their identity provider. See the InCommon Federation Library for more information and to get started.

Prepare users for federating

  1. Populate the Employee ID attribute for each user with the user's UIN
  2. Create groups as necessary for user roles to be asserted with InCommon via eduPersonScopedAffiliation attribute (e.g., faculty, staff, students, affiliates, etc. as defined by eduPersonAffiliation; most relevant for universities)

Create an enterprise application

  1. In the Azure Portal (portal.azure.com), under Microsoft Entra ID > Enterprise Applications, create a new application
  2. Under Manage > Properties, set Assignment Required? to No
  3. Under Manage > Single Sign-On, edit Basic SAML Configuration as follows:
Identifier (Entity ID):
https://sso.tamus.edu/shibboleth
https://sso-train.tamus.edu/shibboleth
https://sso-test.tamus.edu/shibboleth
https://sso-dev.tamus.edu/shibboleth
https://tamu.proxy.cirrusidentity.com/sp
https://tamu-uat.proxy.cirrusidentity.com/sp
https://tamu-parking.cirrusidentity.com/sp
https://tamu-parking-uat.cirrusidentity.com/sp
https://tamus.proxy.cirrusidentity.com/sp

Reply URL (Assertion Consumer Service URL):
https://sso.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-train.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-test.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-dev.tamus.edu/Shibboleth.sso/SAML2/POST
https://tamu.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu_proxy
https://tamu-uat.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-uat_proxy
https://tamu-parking.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-parking_proxy
https://tamu-parking-uat.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-parking-uat_proxy
https://tamus.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamus_proxy
  1. Under Manage > Single Sign-On, edit Attributes & Claims as follows:
Required Claim:
Unique User Identifier (Name ID) > SAML > Value: user.employeeid

Additional Claims:
Name: urn:oid:0.9.2342.19200300.100.1.3 > Source: Attribute: user.mail
Name: urn:oid:1.3.6.1.4.1.4391.0.12 > Source: Attribute: user.employeeid
Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 > Source: Attribute: user.userprincipalname
Name: urn:oid:2.5.4.4 > Source: Attribute: user.surname
Name: urn:oid:2.5.4.42 > Source: Attribute: user.givenname

Add IdP to TAMUSFederation

Provide the following information in an email to identity@tamu.edu as a request to add a new IDP to TAMUFederation:

  • The Azure Enterprise App’s Federation Metadata URL
  • Your system member’s privacy statement URL
  • Your system member’s identity service information URL (e.g., user help page for account management or similar, if one exists)
  • The URL for a 100px x 100px image of your system member logo