3.1 Configuring the Service Provider
The EDS functions in conjunction with a suitably configured Service Provider. Both Shibboleth and non Shibboleth SPs can be used, but at the present time, we don't know of any other implementations that directly support the JSON feed format used in the software.
Configuration of Shibboleth SPs, which MUST be running V2.4 or later, is detailed below. For non-Shibboleth SPs, consult the appropriate documentation.
Tip: Test after each change
After each change to the SP's configuration, test using the -t
flag.
user@host: $ /usr/sbin/shibd –t
The precise configuration of the SP depends on when it was first installed, since certain mechanisms changed in version 2.4.
3.1.1 SPs installed since Version 2.4 and later
This section describes the requirements when using configuration files that were installed along with recent versions of the SP software.
Perform the following steps to configure the Service Provider, by editing the /etc/shibboleth/shibboleth2.xml
:
Edit the
<MetadataProvider>
tag, setting thelegacyOrgNames
attribute totrue
. (See NativeSPMetadataProvider for more information). We do this because at this time almost no federation metadata includes the discovery UI extensions. (See section 4. Metadata Considerations for more information).<MetadataProvider type="XML" uri="http://federation/metadata.xml" backingFilePath="federation.xml" legacyOrgNames="true" reloadInterval="7200">
Edit the
SSO
tag (see NativeSPServiceSSO for details), removing theentityID
attribute and adding adiscoveryProtocol
of"SAMLDS"
and setting thediscoveryURL
attribute to the URL of the web page that will contain the EDS.<SSO discoveryProtocol="SAMLDS" discoveryURL="https://yoursp/path/to/EDS"> SAML2 SAML1 </SSO>
3.1.2 SP installed prior to version 2.4
This section describes the requirements when using configuration files that were installed along with older versions of the SP software and have been carried forward into V2.4 or later. In no case can you use a version prior to V2.4.
Perform the following steps to configure the Service Provider, by editing the /etc/shibboleth/shibboleth2.xml
:
Edit the
<MetadataProvider>
tag, setting thelegacyOrgNames
attribute totrue
. (See NativeSPMetadataProvider for more information.) We do this because at this time almost no federation metadata includes the discovery UI extensions. (See section 4. Metadata Considerations for more information).<MetadataProvider type="XML" uri="http://federation/metadata.xml" backingFilePath="federation.xml" legacyOrgNames="true" reloadInterval="7200">
Edit the
Sessions
tag to add a discovery service feed.<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
Modify the
<SessionInitiator>
chain used by your deployment and make sure the last<SessionInitiator>
element in the chain is oftype="SAMLDS"
and that it points to the web page containing the EDS. If an existing element oftype="WAYF"
is present you will need to remove it or comment it out.<!-- This is an example, it may not match yours exactly. --> <SessionInitiator type="Chaining" Location="/Login"> ... earlier elements ... <SessionInitiator type="SAMLDS" URL="https://yoursp/path/to/EDS"/> </SessionInitiator>
3.1.3 Testing
To test that everything is operational, open a browser and attempt to access an SP protected page. The SP should redirect you to the embedded discovery service and, if you select your Identity Provider (IdP) you should be able to log in to the SP as normal. On the first visit to the embedded discovery service there will be no history (obviously) but if you close out the browser and try to log in to the SP again you should now see your previously chosen IdP listed as a preferred IdP.