3.1 Configuring the Service Provider

Owned by Rod Widdowson
Last updated: Jul 22, 2021
3 min read

The EDS functions in conjunction with a suitably configured Service Provider. Both Shibboleth and non Shibboleth SPs can be used, but at the present time, we don't know of any other implementations that directly support the JSON feed format used in the software.

Configuration of Shibboleth SPs, which MUST be running V2.4 or later, is detailed below. For non-Shibboleth SPs, consult the appropriate documentation.

Tip: Test after each change

After each change to the SP's configuration, test using the -t flag.


user@host: $ /usr/sbin/shibd –t

The precise configuration of the SP depends on when it was first installed, since certain mechanisms changed in version 2.4.

3.1.1 SPs installed since Version 2.4 and later

This section describes the requirements when using configuration files that were installed along with recent versions of the SP software.

Perform the following steps to configure the Service Provider, by editing the /etc/shibboleth/shibboleth2.xml:

  1. Edit the <MetadataProvider> tag, setting the legacyOrgNames attribute to true. (See NativeSPMetadataProvider for more information). We do this because at this time almost no federation metadata includes the discovery UI extensions. (See section 4. Metadata Considerations for more information).

    <MetadataProvider type="XML" uri="http://federation/metadata.xml"
    backingFilePath="federation.xml" legacyOrgNames="true" reloadInterval="7200">

  2. Edit the SSO tag (see NativeSPServiceSSO for details), removing the entityID attribute and adding a discoveryProtocol of "SAMLDS" and setting the discoveryURL attribute to the URL of the web page that will contain the EDS.

    <SSO discoveryProtocol="SAMLDS" discoveryURL="https://yoursp/path/to/EDS">
   SAML2 SAML1
</SSO>

3.1.2 SP installed prior to version 2.4

This section describes the requirements when using configuration files that were installed along with older versions of the SP software and have been carried forward into V2.4 or later. In no case can you use a version prior to V2.4.

Perform the following steps to configure the Service Provider, by editing the /etc/shibboleth/shibboleth2.xml:

  1. Edit the <MetadataProvider> tag, setting the legacyOrgNames attribute to true. (See NativeSPMetadataProvider for more information.) We do this because at this time almost no federation metadata includes the discovery UI extensions. (See section 4. Metadata Considerations for more information).

    <MetadataProvider type="XML" uri="http://federation/metadata.xml"
    backingFilePath="federation.xml" legacyOrgNames="true" reloadInterval="7200">

  2. Edit the Sessions tag to add a discovery service feed.

    <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

  3. Modify the <SessionInitiator> chain used by your deployment and make sure the last <SessionInitiator> element in the chain is of type="SAMLDS" and that it points to the web page containing the EDS. If an existing element of type="WAYF"is present you will need to remove it or comment it out.

    <!-- This is an example, it may not match yours exactly. -->
<SessionInitiator type="Chaining" Location="/Login">
    ... earlier elements ...
    <SessionInitiator type="SAMLDS" URL="https://yoursp/path/to/EDS"/>
</SessionInitiator>

3.1.3 Testing

To test that everything is operational, open a browser and attempt to access an SP protected page. The SP should redirect you to the embedded discovery service and, if you select your Identity Provider (IdP) you should be able to log in to the SP as normal. On the first visit to the embedded discovery service there will be no history (obviously) but if you close out the browser and try to log in to the SP again you should now see your previously chosen IdP listed as a preferred IdP.