Wiki Markup |
---|
IDP Configuration: *\[Shibboleth 2.0\]* |
To interoperate with NIH the following changes/additions need to be made to the Shibboleth configuration files (examples are from NIH/InCommon interop on a Shibboleth IdP running HA_Shib): |
*{+}SAML signing |
cert{+}* Please make sure that your IDP signing cert hasn't expired and it is loaded up to date in the InCommon metadata as our SP doesn't accept the assertions signed by an expired certificate. |
*1) Attributes* |
Make sure attribute-resolver.xml is configured to generate the
...
In attribute-resolver.xml:
<!- Inline Inline scope version of OID form of EPPN to support NIH SPs -> <resolver <resolver:AttributeDefinition id="urn:oid:1.3.6.1.4.1.5923.1.1.1.6-with-inline-scope"
...
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
...
scopeType="inline"/> </resolver:AttributeDefinition>
More info
https://spaces.at.internet2.edu/display/SHIB2/SAML1ScopedStringAttributeEncoder
...
In attribute-filter.xml release these attributes to NIH:
<!--
NIH: release oid version of EPPN, email, surname, givenName.
-->
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:OR">
...
To set it for NIH SPs only, in relying-party.xml (you can put this after the end of the DefaultRelyingParty element):
<!- NIH NIH: includeAttributeStatement true for ShibbolethSSOProfile -
> <RelyingParty id="https://federation.nih.gov/FederationGateway"
...
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement includeAttributeStatement="true"/>
</RelyingParty>
<RelyingParty id="https://soadev.nih.gov/FederationGateway"
...
Please contact NIHFederationTechnicalSupport@mail.nih.govonce you have successfully logged in.