Child pages
  • Shibboleth Discovery Config



The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



Skip to end of metadata
Go to start of metadata

This wiki topic shows how to configure the Shibboleth SP for the Discovery Service. Visit the Discovery Service FAQ for more information.

The configuration examples here are intended only for the specific versions of Shibboleth noted.

Configuring a Shibboleth 2.x SP to use the InCommon Discovery Service with SAML V2.0

Important! The InCommon Discovery Service, and the use of SAML V2.0, depend on SP metadata, so update your metadata now, before you configure your Shibboleth 2.x SP to use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol.

Assuming the specific <SessionInitiator> given below, or with version 2.4 and later, the location of the return endpoint (i.e., the endpoint location at the SP that the DS returns to once the user's preferred IdP has been chosen) is:


https://host/Shibboleth.sso/Login

where host is the hostname of your SP. Simply login to the site admin web application, edit your SP's metadata, and add a <DiscoveryResponse> element with the above endpoint location.

You MUST also ensure that you have added SAML V2.0 endpoints and support to your metadata if your SP is configured to utilize SAML V2.0 (which it is by default). Failure to do so will result in errors when SAML V2.0 requests are issued by the SP to IdPs in the InCommon Federation that support SAML V2.0, because your metadata will indicate a lack of support for that protocol. Simply add an <AsssertionConsumerService> endpoint for at least the SAML V2.0 HTTP-POST Binding using the site admin web application.

To use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol, modify your SP 2.3.1 (or earlier) configuration file (shibboleth2.xml) with something like this (the critical line is the second to last containing "SAMLDS":

shibboleth2.xml (2.3.1 and earlier)
<SessionInitiator type="Chaining" Location="/Login" id="Login" isDefault="true" relayState="cookie">
     <SessionInitiator type="SAML2"
        defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html" />
     <SessionInitiator type="Shib1" defaultACSIndex="5" />
     <SessionInitiator type="SAMLDS" URL="https://wayf.incommonfederation.org/DS/WAYF" />
</SessionInitiator>

For SP 2.4 and later, the <SSO> element in shibboleth2.xml should be the following:

shibboleth2.xml (2.4 and later)
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1
</SSO>

If this is the first time your SP has been configured for SAML V2.0, you should test the configuration thoroughly of course. In particular, you should test with your preferred IdP partners to insure that both IdP and SP have been configured for SAML V2.0 correctly.

For More Information

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels