Identity Federation
The Texas A&M University System Cybersecurity

Entra ID Configuration for Identity Providers

Configure Entra ID for TAMUSFederation


A word of caution

The instructions below are not applicable for members that are published in the InCommon Federation Metadata Aggregate. See InCommon custom attribute releases for more information.

Prepare users for federating

  1. Populate the Employee ID attribute for each user with the employee’s UIN (this is not required for students that do not log into TAMUS SSO)
  2. Create groups as necessary for user roles to be asserted with InCommon via eduPersonScopedAffiliation attribute (e.g., faculty, staff, students, affiliates, etc. as defined by eduPersonAffiliation; most relevant for universities)

Create an enterprise application

  1. In the Azure Portal (portal.azure.com), under Microsoft Entra ID > Enterprise Applications, create a new application
  2. Under Manage > Properties, set Assignment Required? to No
  3. Under Manage > Single Sign-On, edit Basic SAML Configuration as follows:
Identifier (Entity ID):
https://sso.tamus.edu/shibboleth
https://sso-train.tamus.edu/shibboleth
https://sso-test.tamus.edu/shibboleth
https://sso-dev.tamus.edu/shibboleth
https://tamu.proxy.cirrusidentity.com/sp
https://tamu-uat.proxy.cirrusidentity.com/sp
https://tamu-parking.cirrusidentity.com/sp
https://tamu-parking-uat.cirrusidentity.com/sp
https://tamus.proxy.cirrusidentity.com/sp

Reply URL (Assertion Consumer Service URL):
https://sso.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-train.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-test.tamus.edu/Shibboleth.sso/SAML2/POST
https://sso-dev.tamus.edu/Shibboleth.sso/SAML2/POST
https://tamu.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu_proxy
https://tamu-uat.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-uat_proxy
https://tamu-parking.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-parking_proxy
https://tamu-parking-uat.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamu-parking-uat_proxy
https://tamus.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/tamus_proxy
  1. Under Manage > Single Sign-On, edit Attributes & Claims as follows:
Required Claim:
Unique User Identifier (Name ID) > SAML > Value: user.employeeid

Additional Claims:
Name: urn:oid:0.9.2342.19200300.100.1.3 > Source: Attribute: user.mail
Name: urn:oid:1.3.6.1.4.1.4391.0.12 > Source: Attribute: user.employeeid
Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 > Source: Attribute: user.userprincipalname
Name: urn:oid:2.5.4.4 > Source: Attribute: user.surname
Name: urn:oid:2.5.4.42 > Source: Attribute: user.givenname

Add IdP to TAMUSFederation

  1. Provide the following information in an email to contact@cyber.tamus.edu as a request to add a new IDP to TAMUSFederation:

    • The Azure Enterprise App’s Federation Metadata URL
    • Your system member’s privacy statement URL
    • Your system member’s identity service information URL (e.g., user help page for account management or similar, if one exists)
    • The URL for a 100px x 100px image of your system member logo