The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

NativeSPGettingStarted

Owned by Scott Cantor
Last updated: Oct 12, 2011
2 min read

This is a summary of the primary changes required to the initial configuration of the SP software (in shibboleth2.xml, unless otherwise noted). These changes apply generically to any of the platforms and web servers, and are supplemented by additional work specific to the web server you're using.

  • Change the entityID attribute located in the <ApplicationDefaults> element to one that's appropriate for your service. An https:// URL is recommended, ideally containing a logical DNS hostname associated with your service that will not change over time as physical servers do. See the EntityNaming topic for more on this concept.
  • Customize the various HTML error templates and error properties specified in the <Errors> element. Obviously the software will still run if you skip this, but frankly if you don't do it up front there's a decent chance you won't do it later, and that looks bad for you and the software project as a whole. At least provide a suitable email address in the supportContact property.
  • For testing purposes, it's simplest to start with a single IdP and point the SP to it by modifying the entityID property in the <SSO> element. You will need to supply metadata for that IdP in the next step.
  • Supply or link to at least one IdP's metadata using one or more <MetadataProvider> elements. There are a few common scenarios for acquiring metadata:
    • Join a federation. Usually you will be provided with a certificate to use to verify the metadata's signature to ensure its validity. Most of the time the federation will provide you with detailed instructions or examples of how to configure the software, and you should follow those instructions.
    • Work with a dedicated, "local" IdP. This is common in internal deployments. With a single IdP, you may also be given explicit instructions on how to get and verify the metadata you need, or you may simply be forced to download the metadata and could be on your own in verifying its validity. Understand that the entire basis for your SP's security will typically come from that file.
    • If the metadata you need doesn't exist, then you will have to create it yourself. The information you'll need is typically at least its name (entityID), the location of its services, and its public key or certificate. An example file you can work from is also included with the SP.
  • Complete the configuration process that's specific to your web server. These topics include both initial and advanced/reference material, but are short enough to read and understand up front.

Most installations will also want to:

  • Adjust various session policy settings in the <Sessions> element.

Possible next steps: