To interoperate with a typical commercial SAML Service Provider the following changes/additions need to be made to the Shibboleth configuration files (examples are from NIH/InCommon interop on a Shibboleth IdP running HA_Shib):

idp.xml

Add a new RelyingParty (set signingCredential and nameMapping to proper values for your setup, name should match the entityId for the target SP, in this case https://www.nih.gov/Federation). See AlternateProfiles for more information on forceAttributePush and singleAssertion:

<RelyingParty name="https://www.nih.gov/Federation" signingCredential="incommon_cred" schemaHack="true"
        forceAttributePush="true" singleAssertion="true">
      <NameID nameMapping="hashib_mapping"/>
</RelyingParty>

resolver.xml

Send EPPN as non-smart scoped using its OID number as definition – ensure that you have urn:mace:dir:attribute-def:eduPersonPrincipalName defined elsewhere in resolver.xml as a smart scoped attribute:

<SimpleAttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" lifeTime="28800"
        sourceName="urn:mace:dir:attribute-def:eduPersonPrincipalName">
      <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonPrincipalName"/>
</SimpleAttributeDefinition>

arp.site.xml

<Rule>
      <Target>
            <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">https://www.nih.gov/Federation</Requester>
      </Target>
      <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
            <AnyValue release="permit"/>
      </Attribute>
</Rule>

You can release additional attributes in the rule by adding additional <Attribute> entries. What additional attributes you release should be determined on a case by case basis. To NIH, we release cn, sn, givenName, mail and eduPersonAffiliation. The Requester string should match the entityId of the SP (in this case https://www.nih.gov/Federation).

Browser not supported