Talk to a new IdP
The amount of configuration the SP needs to talk to a new IdP depends on how much special treatment that IdP will require compared to your defaults. The base case is very simple: add the IdP's metadata to a metadata file referenced by a <MetadataProvider>
from shibboleth2.xml
, and you're done. If you're using the Login
style of <SessionInitiator
, you should change the entityID
to the IdP's entityID
.
If you do need to treat an IdP specially in one of the following ways, read that section:
Different entityID
Add a <RelyingParty>
element to the <Application>
configuration with a new Name
matching the entityID
of the IdP or a federation. The SP will name itself by a specified entityID
attribute when it talks to the relying party Name
. This won't work if a WAYF
style <SessionInitiator>
is used, but it will work with a DS
.
Different cryptography
Add a <RelyingParty>
element to the <Application>
configuration with a new Name
matching the entityID
of the IdP or a federation. Make the keyName="specialKey"
refer to a <CredentialResolver>
. You can also change the default encryption
and signing
settings, or the use of TLS
to authenticate to other providers, but this is rarely required.
Special Attribute Rules
To enact special attribute rules for a this IdP, add specific rules to attribute-policy.xml. No <RelyingParty>
settings are necessary.