...
As your IdP will need act as an SP, you'll need extra blocks in your entity's metadata. Create a new sp-metadata.xml
(or update your existing idp-metadata.xml
but consider whether this should be included in multi-lateral federation agreements) file to include a <SPSSODescriptor>
block. You'll need to copy the signing and encryption certificates from the IdP part of the metadata and replace the base URI (https://idp.example.ac.uk/idp
) with the base of your IdP.
Code Block | ||||
---|---|---|---|---|
| ||||
<EntityDescriptor entityID="https://idp.example.ac.uk/entity" ...> <!-- Already present IdP data --> <IDPSSODescriptor ...> ... </IDPSSODescriptor> <AttributeAuthorityDescriptor> ... </AttributeAuthorityDescriptor> <!-- New SP block --> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> ...Signing Certificate from IdP... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> ...Encryption Certificate from IdP... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.ac.uk/idp/profile/Authn/SAML2/POST/SSO" index="0"/> </SPSSODescriptor> </EntityDescriptor> |
...