To interoperate with a typical commercial SAML Service Provider the following changes/additions need to be made to the Shibboleth configuration files (examples are from NIH/InCommon interop on a Shibboleth IdP running HA_Shib):
idp.xml
Add a new RelyingParty (set signingCredential and nameMapping to proper values for your setup, name should match the entityId for the target SP, in this case https://www.nih.gov/Federation). See AlternateProfiles for more information on forceAttributePush and singleAssertion:
<RelyingParty name="https://www.nih.gov/Federation" signingCredential="incommon_cred" schemaHack="true"
forceAttributePush="true" singleAssertion="true">
<NameID nameMapping="hashib_mapping"/>
</RelyingParty>
resolver.xml
Send EPPN as non-smart scoped using its OID number as definition – ensure that you have urn:mace:dir:attribute-def:eduPersonPrincipalName defined elsewhere in resolver.xml as a smart scoped attribute:
<SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800"
sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>
</SimpleAttributeDefinition>
arp.site.xml
<Rule>
<Target>
<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">https://www.nih.gov/Federation</Requester>
</Target>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
<AnyValue release="permit"/>
</Attribute>
</Rule>
You can release additional attributes in the rule by adding additional <Attribute> entries. What additional attributes you release should be determined on a case by case basis. To NIH, we release cn, sn, givenName, mail and eduPersonAffiliation. The Requester string should match the entityId of the SP (in this case https://www.nih.gov/Federation).