Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user ChadC

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Copy example-metadata.xml to partner-metadata.xml
  2. Generate and save a key and cert for the !IdP
    A. openssl genrsa -out idp.key 2048
    A. openssl req -new -key idp.key -x509 -days 365 -out idp.crt
  3. Repeat the above two steps, generating a key and cert for the SP
  4. Edit the IdP EntityDescriptor. The easiest way to do this is to use the Metadata Generator and replace the !IdP EntityDescriptor in the metadata file with the descriptor the generator creates. You can also hand edit the metadata file's default EntityDescriptor by doing the following:
    A. Enter a providerId (the entityID attribute in the EntityDescriptor element). We recommend values of the form https://idp.hostname/shibboleth , where hostname is replaced by the full DNS name of your host. Remember that this is a logical name; the Shibboleth software will not attempt to use this URL to retrieve anything.
    A. If you intend to use eduPerson attributes such as eduPersonScopedAffiliation or EduPersonPrincipalName, then change the value inside the two Scope extension elements in the file to a domain name associated with your security domain.
    A. There are two KeyDescriptor elements. In the first one, replace the data within the X509Certificate element with the contents of idp.crt (created above). Delete the second KeyDescriptor element to reduce later confusion.
    A. There are two ArtifactResolutionService elements. In the first one, within the Location Attribute, change the hostname part of the url to be the name of the host where you are running your !IdP. Delete the second ArtifactResolutionService element to reduce later confusion.
    A. There are two SingleSignOnService elements. In the first one, within the location Attribute, change the hostname part of the url to be the name of the host where you are running your !IdP. Delete the second SingleSignOnService element to reduce later confusion.
    A. Within the AttributeAuthorityDescriptor element, within the !X509Certificate element, replace the data with the contents of idp.crt.
    A. Within the AttributeService element, within the Location Attribute, change the hostname part of the url to be the name of the host where you are running your IdP.
  5. Edit the SP !EntityDescriptor. You should hand edit the metadata file's default EntityDescriptor by doing the following:
    A. Enter a providerId (the entityID attribute in the EntityDescriptor element). We recommend values of the form https://sp.hostname/shibboleth , where hostname is replaced by the full DNS name of your host. Remember that this is a logical name; the Shibboleth software will not attempt to use this URL to retrieve anything.
    A. In the X509Certificate element, replace the data with the contents of sp.crt.
    A. In all of the AssertionConsumerService elements, within the Location Attribute, change the hostname part of the url to be the name of the host where you are running your SP.
    A. Optionally, duplicate the first AssertionConsumerService element (the one whose URL contains SAML/POST), and change https to http. Be sure to modify the index attribute in the new element.

...