AddIdP
- Rod Widdowson
- Scott Cantor
The amount of configuration the SP needs to accept assertions from a new IdP depends on how much special treatment that IdP will require compared to your defaults, and various aspects of the overall architecture, such as how discovery is being handled. The basic case is very simple: add the IdP's metadata to a metadata source referenced by a <MetadataProvider> defined in shibboleth2.xml, and you're done.
If you're using a single IdP, then you need to ensure its entityID is set in the <SSO> element to route requests to it, but in many cases you're adding "another" IdP, so by definition you have to work through the discovery problem and that's a very deployment-specific topic. Properly-federated services need to deploy a true discovery solution such as the Embedded Discovery Service. Non-federated applications often rely on host or path-driven rules for identifying the IdP, in which case you may be able to address this by adding an entityID setting to the <RequestMap> or an Apache command as applicable.
If you do need to treat an IdP specially in one of the following ways, read on.
Use a different SP entityID
This isn't a very good idea and should be avoided at all costs, but if you must...
Add a <RelyingParty> element to the <Application> configuration with a new Name matching the entityID of the IdP. The SP will name itself by a specified entityID attribute when it talks to the IdP with that Name.
This won't work if the legacy WAYF discovery protocol is used, but it will work with a modern DS.
Different cryptography requirements
Add a <RelyingParty> element to the <Application> configuration with a new Name matching the entityID of the IdP. Use a property like keyName="specialKey" to refer to a specific <CredentialResolver> containing a non-default key. You can also change the default encryption and signing settings, or the use of TLS to authenticate to other providers, but this is rarely required.
Special Attribute Rules
To apply special attribute filtering rules for a this IdP, add the rules to attribute-policy.xml. No <RelyingParty> settings are necessary.