Obtaining the TeamDynamix SP SAML Metadata

Tags metadata

Overview

You can obtain the TeamDynamix SP SAML metadata from one of the two following locations below. For the purposes of this article, a federation metadata aggregate is a file containing multiple sets of SAML metadata from many different service providers.

  1. From a participating metadata federation (preferred for non-vanity domains who can use federation metadata aggregates):
    1. For United States SaaS Customers
      1. InCommon Federation Metadata (preferred for US customers): http://md.incommon.org/InCommon/InCommon-metadata.xml
    2. For Canadian SaaS Customers
      1. Any federation that pulls in the TDX InCommon metadata from eduGAIN, such as the Canadian Access Federation (CAF) via CANARIE.
  2. From TeamDynamix directly (preferred for vanity domains or IdPs unable to use federation metadata aggregates). Use the appropriate metadata region based upon your SaaS region and environment:
    1. For United States SaaS Customers
      1. Production and Sandbox: https://shib.teamdynamix.com/Shibboleth.sso/Metadata
      2. Production and Sandbox with Vanity URL: https://yourVanityDomain/Shibboleth.sso/Metadata
      3. Release Preview: https://shib.teamdynamixpreview.com/Shibboleth.sso/Metadata 
    2. For Canadian SaaS Customers:
      1. Production and Sandbox: https://shib-cac.teamdynamix.com/Shibboleth.sso/Metadata
      2. Production and Sandbox with Vanity URL: https://yourVanityDomain/Shibboleth.sso/Metadata
      3. Release Preview: https://shib-cac.teamdynamixpreview.com/Shibboleth.sso/Metadata
We highly recommend that you trust our metadata from the InCommon link, as opposed to downloading it from our Shibboleth URL, if your Identity Provider (IdP) can ingest or poll federation metadata aggregates. For example, Shibboleth IdP and CAS IdP can do this, though many IdPs cannot. If your IdP is unable to work with federation metadata aggregate files, use the direct links in #2 above instead.

When obtaining our metadata from InCommon, you will either want to trust the entire InCommon Federation as a trusted relying party or extract the two nodes pertaining to TeamDynamix to separate files and trust those as relying parties. Our four nodes in the InCommon Federation metadata are:
  1. For United States SaaS Customers
    1. Node with entityID https://www.teamdynamix.com/shibboleth: This is our metadata for the production/sandbox environment.
    2. Node with entity ID https://shib.teamdynamixpreview.com/shibboleth: This is our metadata for the release preview environment.
  2. For Canadian SaaS Customers
    1. Node with entity ID https://shib-cac.teamdynamix.com/shibboleth: This is our metadata for the the production/sandbox environment.
    2. Node with entity ID https://shib-cac.teamdynamixpreview.com/shibboleth: This is our metadata for the release preview environment.

Extracting the TeamDynamix Metadata from the InCommon Metadata

We recommend extracting the two individual <EntityDescriptor> nodes into two separate files, as the full InCommon metadata file is fairly large.

Again, our four nodes in the InCommon Federation metadata are:
  1. For United States SaaS Customers
    1. Node with entityID https://www.teamdynamix.com/shibboleth: This is our metadata for the production/sandbox environment.
    2. Node with entity ID https://shib.teamdynamixpreview.com/shibboleth: This is our metadata for the release preview environment.
  2. For Canadian SaaS Customers
    1. Node with entity ID https://shib-cac.teamdynamix.com/shibboleth: This is our metadata for the the production/sandbox environment.
    2. Node with entity ID https://shib-cac.teamdynamixpreview.com/shibboleth: This is our metadata for the release preview environment.
  1. Open the InCommon Metadata file in a text editor.
  2. Copy the <EntityDescriptor> nodes for both of the TeamDynamix entries and save them into separate .XML files. Search using the appropriate entityID values above for United States or Canada. The new XML files will each contain a single <EntityDescriptor> node aligning with the environment it is for.
  3. Copy all of the XML namespace attributes from the top-level <EntitiesDescriptor> node. These are the highlighted items, starting with xmlns or xmlns:, in the following sample:
      
    <EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" 
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" 
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" 
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
ID="INC20170816T191033" Name="urn:mace:incommon" validUntil="2017-08-30T19:10:33Z">

    Note that the above snippet is an example only. Do not copy and paste the highlighted values from this article. Copy them from the downloaded InCommon metadata file.
  4. Paste the values copied in Step 3. into the top-level <EntityDescriptor> node in both of the files created in Step 2. 
100% helpful - 5 reviews

Details

Article ID: 4019
Created
Wed 2/11/15 12:19 PM
Modified
Wed 4/12/23 10:22 AM

Related Articles (6)

Action Required: TeamDynamix Single Sign-On Certificate Rollover (USA Only)
TeamDynamix is renewing our US Single Sign-On signing certificate. If you are a US SaaS customer utilizing single sign-on, there is some action you need to take to ensure there is no interruption of service.
An overview of Single Sign On (SSO) within TeamDynamix SaaS environments
This article provides an overview of how single sign - on (SSO) can be achieved within TeamDynamix.
Authentication Configuration Overview [Video]
This video will help TeamDynamix Administrators to configure Authentication using the TDAdmin interface. The user must have the administrative privileges in TDAdmin.
Single Sign On (SSO) with Apereo Central Authentication Service (CAS)
This article demonstrates how to configure Apereo Central Authentication Service (CAS) to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with SimpleSAMLPHP
This article demonstrates how other TeamDynamix clients have successfully configured SimpleSAMLPHP to allow Single Sign On authentication with TeamDynamix.
Viewing the InCommon Baseline Expectations
This article provides a link to the InCommon baseline expectations.