The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
IdPMultipleFederations
Adding an IdP to multiple federations is usually very straightforward. If there is no need for special certificates, behavior (e.g. NameIdentifier types), or a different providerId, all you need to do is point to the second federation's metadata with another MetadataProvider
element and make sure your attribute release policies are appropriate for your trust relationships with each federation.
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/usr/local/shibboleth-idp/etc/newfederation-metadata.xml"/>
Things are more complicated if one or more of the following is needed. Follow the steps described for each special activity.
1. Different providerId
In most cases, there should be no need to define a new providerId. The new federation should be willing to accept your existing providerId. If not, then you must define a new <RelyingParty>
element like the following:
<RelyingParty name="https://www.thenewfederation.org/providers" providerId="https://mynewproviderid.myhost.org/shibboleth/idp"> <NameID nameMapping="shm"/> </RelyingParty>
2. Different Credentials
Because the Shibboleth IdP uses its PKI credentials both for signing assertions and mutual TLS authentication, a separate set means a separate set of AA/Artifact endpoints needs to be defined in addition to a special <RelyingParty>
element. Modification of the SSL endpoints and idp.xml
is necessary.
idp.xml:
<RelyingParty name="https://www.thenewfederation.org/providers" providerId="https://mynewproviderid.myhost.org/shibboleth/idp" signingCredential="newcreds"> <NameID nameMapping="shm"/> </RelyingParty>
<FileResolver Id="newcreds"> <Key> <Path>file:/usr/local/shibboleth-idp/etc/idp-newfed.key</Path> </Key> <Certificate> <Path>file:/usr/local/shibboleth-idp/etc/idp-newfed.crt</Path> </Certificate> </FileResolver>
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler"> <Location>.+:(7443|8443)/shibboleth-idp/AA</Location> </ProtocolHandler> <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler"> <Location>.+:(7443|8443)/shibboleth-idp/Artifact</Location> </ProtocolHandler>
ssl.conf:
Listen 7443 <VirtualHost _default_:7443> SSLEngine on SSLProtocol -All +SSLv3 +TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH SSLVerifyClient optional_no_ca SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData SSLCertificateFile /usr/local/shibboleth-idp/etc/idp-newfed.crt SSLCertificateKeyFile /usr/local/shibboleth-idp/etc/idp-newfed.key ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log </VirtualHost>