The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
Interoperate with a commerical SAML Service Provider
To interoperate with a typical commercial SAML Service Provider the following changes/additions need to be made to the Shibboleth configuration files (examples are from NIH/InCommon interop on a Shibboleth IdP running HA_Shib):
idp.xml
Add a new RelyingParty (set signingCredential
and nameMapping
to proper values for your setup, name
should match the entityId
for the target SP, in this case https://www.nih.gov/Federation
). See AlternateProfiles for more information on forceAttributePush
and singleAssertion
:
<RelyingParty name="https://www.nih.gov/Federation" signingCredential="incommon_cred" schemaHack="true" forceAttributePush="true" singleAssertion="true"> <NameID nameMapping="hashib_mapping"/> </RelyingParty>
resolver.xml
Send EPPN as non-smart scoped using its OID number as definition – ensure that you have urn:mace:dir:attribute-def:eduPersonPrincipalName
defined elsewhere in resolver.xml
as a smart scoped attribute:
<SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800" sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName"> <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/> </SimpleAttributeDefinition>
arp.site.xml
<Rule> <Target> <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">https://www.nih.gov/Federation</Requester> </Target> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> <AnyValue release="permit"/> </Attribute> </Rule>
You can release additional attributes in the rule by adding additional <Attribute>
entries. What additional attributes you release should be determined on a case by case basis. To NIH, we release cn
, sn
, givenName
, mail
and eduPersonAffiliation
. The Requester
string should match the entityId
of the SP (in this case https://www.nih.gov/Federation
).