This wiki topic shows how to configure the Shibboleth Service Provider (SP) for the InCommon Federation Discovery Service. Visit the Discovery Service FAQ for more information.
To configure your Shibboleth SP to use the InCommon Federation Discovery Service, you must publish your SP's metadata in InCommon. To guard against security compromises, the Discovery Service will only direct users to the Discovery Response Endpoint in your published metadata. If you have not done so, update your metadata first before you configure your Shibboleth 2.x SP to use the InCommon Federation Discovery Service.
Determine your Discovery Response Endpoint
With Shibboleth SP version 2.4 and later, the location of your Discovery Response Endpoint is:
HTML |
---|
https://<i>host</i>/Shibboleth.sso/Login |
where host is the hostname of your SP.
The same endpoint also applies for Shibboleth SP 2.3.1 or easier if you have configured your <SessionInitiator>
according to the example provided in the Configure Shibboleth SP version 2.3.1 (or earlier) section below.
To add your Discovery Response Endpoint to your published SP metadata, follow the instruction in Configure a service provider to use the Discovery Service.
Configuring Shibboleth SP version 2.4 or later
For SP 2.4 and later, the <SSO>
element in shibboleth2.xml should include the following:
Code Block |
---|
title | shibboleth2.xml (2.4 and later) |
---|
|
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1
</SSO>
|
Modify your SP 2.3.1 (or earlier) configuration file (shibboleth2.xml) to include a <SessionInitiator>
of type SAMLDS
, and URL pointing to https://wayf.incommonfederation.org/DS/WAYF:
Code Block |
---|
title | shibboleth2.xml (2.3.1 and earlier) |
---|
|
<SessionInitiator type="Chaining" Location="/Login" id="Login" isDefault="true" relayState="cookie">
<SessionInitiator type="SAML2"
defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html" />
<SessionInitiator type="Shib1" defaultACSIndex="5" />
<SessionInitiator type="SAMLDS" URL="https://wayf.incommonfederation.org/DS/WAYF" />
</SessionInitiator>
|