Configure Identity Provider for TAMUFederation
All identity providers must assert the tamuEduPersonUIN attribute in order to access Texas A&M System resources. See the Texas A&M University Identity Security Docs for more information.
The instructions below are not applicable for members that are already published in and consume the InCommon Federation metadata aggregate with their identity provider. See the InCommon Federation Library for more information and to get started.
Once InCommon service providers are populated in the member identity provider, configure the identity provider to release the tamuEduPersonUIN attribute to TAMUFederation's Authorized Discovery Service/WAYF Service Providers.
Prepare users for federating
- Populate the Employee ID attribute for each user with the user's UIN
- Create groups as necessary for user roles to be asserted with InCommon via
eduPersonScopedAffiliationattribute (e.g., faculty, staff, students, affiliates, etc. as defined by eduPersonAffiliation; most relevant for universities)
Create a service provider/enterprise application
These instructions are for Entra ID only. Other identity provider procedures to create a service provider will vary.
- In the Azure Portal (portal.azure.com), under Microsoft Entra ID > Enterprise Applications, create a new application
- Under Manage > Properties, set Assignment Required? to No
- Under Manage > Single Sign-On, edit Basic SAML Configuration and configure with the Entity IDs and Reply URLs as shown below
- Under Manage > Single Sign-On, edit Attributes & Claims as shown below
Authorized Discovery Service/WAYF Service Providers
Authorized Metadata Aggregate Providers
| Description | Metadata URL |
|---|---|
| InCommon Federation | https://mdq.incommon.org/entities |
| TAMU Cirrus Proxy | https://federation.identity.tamu.edu/metadata.xml |
| TAMU Legacy Shibboleth | https://idp.tamu.edu/tamufed-metadata.xml |
Required Attributes
| Friendly Name | URN | Entra ID Source Attribute |
|---|---|---|
mail | urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
tamuEduPersonUIN | urn:oid:1.3.6.1.4.1.4391.0.12 | user.employeeid |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | user.userprincipalname |
sn | urn:oid:2.5.4.4 | user.surname |
givenName | urn:oid:2.5.4.42 | user.givenname |
Recommended Additional Attributes
| Friendly Name | URN | Entra ID Source Attribute |
|---|---|---|
eduPersonUniqueID | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | ObjectID + UPN Suffix |
eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | Derived from group membership + UPN Suffix |
eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Derived from group membership |
Add IdP to TAMUFederation
Provide the following information in an email to identity@tamu.edu as a request to add a new IDP to TAMUFederation:
- The metadata URL to the identity provider (or Azure Enterprise App’s Federation Metadata URL)
- Your system member’s privacy statement URL
- Your system member’s identity service information URL (e.g., user help page for account management or similar, if one exists)
- The URL for a 100px x 100px image of your system member logo