This wiki topic shows how to configure the Shibboleth Service Provider (SP) for InCommon Wayfinder.
To configure your Shibboleth SP to use the InCommon Federation Discovery Service, you must publish your SP's metadata in InCommon. To guard against security compromises, the Discovery Service will only direct users to the Discovery Response Endpoint in your published metadata. If you have not done so, update your metadata first before you configure your Shibboleth 2.x SP to use InCommon Wayfinder.
With Shibboleth SP version 2.4 and later, the location of your Discovery Response Endpoint is:
| HTML |
|---|
https://<i>host</i>/Shibboleth.sso/Login |
where host is the hostname of your SP.
The same endpoint also applies for Shibboleth SP 2.3.1 or easier if you have configured your <SessionInitiator> according to the example provided in the Configure Shibboleth SP version 2.3.1 (or earlier) section below.
Configuring Shibboleth SP version 2.4 or later
For SP 2.4 and later, the <SSO> element in shibboleth2.xml should include the following:
| Code Block |
|---|
| title | shibboleth2.xml (2.4 and later) |
|---|
|
<SSO discoveryProtocol="SAMLDS"
discoveryURL="https://wayfinder.incommon.org/DS/WAYF">
...
</SSO>
|
Modify your SP 2.3.1 (or earlier) configuration file (shibboleth2.xml) to include a <SessionInitiator> of type SAMLDS, and URL pointing to https://wayfinder.incommon.org/DS/WAYF:
| Code Block |
|---|
| title | shibboleth2.xml (2.3.1 and earlier) |
|---|
|
<SessionInitiator type="Chaining" Location="/Login" id="Login" isDefault="true" relayState="cookie">
<SessionInitiator type="SAML2"
defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html" />
<SessionInitiator type="Shib1" defaultACSIndex="5" />
<SessionInitiator type="SAMLDS" URL="https://wayfinder.incommon.org/DS/WAYF" />
</SessionInitiator>
|