...
The dialog box for IdP details is interspersed with fields about the SP's own entityID and URLs, but it will also generate metadata on the Advanced tab, which I hand-edited afterwards to load into the IdP. Noteworthy: it doesn't support XML Encryption but does sign its requests and so includes a key for that in the metadata.
Profile Requirements
Encryption isn't supported so has to be disabled (or the idp.encryption.optional property tutrned on). There weren't any other special requirements.
...
SAML2.Logout (if desired)
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="ProofPoint">
<PolicyRequirementRule xsi:type="Requester" value="https://saml-entity-id.proofpoint.com/<organization>_hosted" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|
Code Block | ||||
---|---|---|---|---|
| ||||
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'eduPersonPrincipalName'} }" >
<property name="activationCondition" >
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://saml-entity-id.proofpoint.com/<organization>_hosted" />
</property>
</bean>
|
Account Provisioning
The accounts have to be in place with an appropriate email address as the user ID.
...