Page History

...

Upgrading from the InCommon WAYF

Configure a Shibboleth 1.x SP to use the InCommon Discovery Service

Note: As of June 30, 2010, Shibboleth 1.x is no longer supported by the Shibboleth Project, so you should upgrade your software as soon as possible.

A Shibboleth 1.x SP cannot take advantage of all the features of the new InCommon Discovery Service, so we recommend you upgrade your Shibboleth SP deployment as soon as you can. In the meantime, you can (and should) reconfigure your Shibboleth 1.x SP to use the InCommon Discovery Service instead of the InCommon WAYF as described below. The latter will be phased out and retired early in 2011.

If you're already using the InCommon WAYF, you will find something like the following in your SP 1.x configuration file (shibboleth.xml):

<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/InCommon/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

To point your SP at the new Discovery Service endpoint, make the following configuration change:

<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/DS/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

Since the InCommon Discovery Service is backwards compatible with the InCommon WAYF, the above configuration should work exactly the same as before.

The Location and id settings in the above examples are arbitrary and may vary by deployment.

Configure a Shibboleth 2.x SP to use the InCommon Discovery Service

In the very least, you should reconfigure your Shibboleth 2.x SP to use the InCommon Discovery Service instead of the InCommon WAYF. The latter will be phased out and retired early in 2011.

If you're already using the InCommon WAYF with Shibboleth 2.3.1 or earlier, you will find something like the following in your SP configuration file (shibboleth2.xml):

<SessionInitiator type="WAYF" URL="https://wayf.incommonfederation.org/InCommon/WAYF" />

To point your SP at the new Discovery Service endpoint, simply replace the URL setting with "https://wayf.incommonfederation.org/DS/WAYF".

Since the InCommon Discovery Service is backwards compatible with the InCommon WAYF, the above configuration should work exactly the same as before.

For SP 2.4 and later, the <SSO> element in shibboleth2.xml should be the following:

<SSO discoveryProtocol="WAYF" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1
</SSO>

Upgrading to SAML V2.0

A SAML 2.0 FAQ is available here.

...

Configuring a Shibboleth 2.x SP to use the InCommon Discovery Service with SAML V2.0

Important! The InCommon Discovery Service, and the use of SAML V2.0, depend on SP metadata, so update your metadata now, before you configure your Shibboleth 2.x SP to use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol.

Assuming the specific <SessionInitiator> given below, or with version 2.4 and later, the location of the return endpoint (i.e., the endpoint location at the SP that the DS returns to once the user's preferred IdP has been chosen) is:

https://<i>host</i>/Shibboleth.sso/Login

where host is the hostname of your SP. Simply login to the site admin web application, edit your SP's metadata, and add a <DiscoveryResponse> element with the above endpoint location.

...

<SessionInitiator type="Chaining" Location="/Login" id="Login" isDefault="true" relayState="cookie">
     <SessionInitiator type="SAML2"
        defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html" />
     <SessionInitiator type="Shib1" defaultACSIndex="5" />
     <SessionInitiator type="SAMLDS" URL="https://wayf.incommonfederation.org/DS/WAYF" />
</SessionInitiator>

...

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1
</SSO>

...