...
This example shows how a Service Provider can request a silver-test assurance from an IdP. First, both the IdP and SP must use IdP metadata configured as shown in the "IAQs in metadata" section above. The IdP will also need to release silver-test as a valid <AuthenticationMethod> for the chosen <LoginHandler>, typically done in the IdP's handler.xml configuration.
- Edit the SP's /etc/shibboleth/attribute-map.xml configuration file. Add the following new tag:
This corresponds to the <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"> tag in the IdP's "IAQs in metadata" configuration section above.Code Block <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="assurance-certification"/>
- Edit the SP's /etc/shibboleth/shibboleth2.xml configuration file. In the <ApplicationDefaults ...> tag, add the following attribute:
You will now have an <ApplicationDefaults ...> tag that looks like the following:Code Block metadataAttributePrefix="Meta-"
This will add new Apache server environment variables of the form HTTP_META_... and allow the SP software to automatically populate the Apache server environment with the IdP's metadata <EntityAttributes>. This is useful for the SP to programatically determine which assurance attributes are valid from the IdP.Code Block <ApplicationDefaults id="default" policyId="default" entityID="https://example.org/shibboleth" REMOTE_USER="persistent-id targeted-id eppn" signing="false" encryption="false" homeURL="https://example.org/" metadataAttributePrefix="Meta-">
- Restart the SP's shibd process.
...