Child pages
  • IdPMultipleFederations

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

Adding an IdP to multiple federations is usually very straightforward. If there is no need for special certificates, behavior (e.g. NameIdentifier types), or a different providerId, all you need to do is point to the second federation's metadata with another MetadataProvider element and make sure your attribute release policies are appropriate for your trust relationships with each federation.

<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/usr/local/shibboleth-idp/etc/newfederation-metadata.xml"/>

Things are more complicated if one or more of the following is needed. Follow the steps described for each special activity.

1. Different providerId

In most cases, there should be no need to define a new providerId. The new federation should be willing to accept your existing providerId. If not, then you must define a new <RelyingParty> element like the following:

<RelyingParty name="https://www.thenewfederation.org/providers" providerId="https://mynewproviderid.myhost.org/shibboleth/idp"> 
	<NameID nameMapping="shm"/>
</RelyingParty>

2. Different Credentials

Because the Shibboleth IdP uses its PKI credentials both for signing assertions and mutual TLS authentication, a separate set means a separate set of AA/Artifact endpoints needs to be defined in addition to a special <RelyingParty> element. Modification of the SSL endpoints and idp.xml is necessary.

idp.xml:

<RelyingParty name="https://www.thenewfederation.org/providers" providerId="https://mynewproviderid.myhost.org/shibboleth/idp" signingCredential="newcreds"> 
	<NameID nameMapping="shm"/>
</RelyingParty>
<FileResolver Id="newcreds">
	<Key>
		<Path>file:/usr/local/shibboleth-idp/etc/idp-newfed.key</Path>
	</Key>
	<Certificate>
		<Path>file:/usr/local/shibboleth-idp/etc/idp-newfed.crt</Path>
	</Certificate>
</FileResolver>
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
	<Location>.+:(7443|8443)/shibboleth-idp/AA</Location>
</ProtocolHandler>
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
	<Location>.+:(7443|8443)/shibboleth-idp/Artifact</Location>
</ProtocolHandler>

ssl.conf:

Listen 7443

<VirtualHost _default_:7443>
	 SSLEngine on
	 SSLProtocol -All +SSLv3 +TLSv1
	 SSLHonorCipherOrder On
	 SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
	 SSLVerifyClient optional_no_ca
	 SSLVerifyDepth 10
	 SSLOptions +StdEnvVars +ExportCertData
	 SSLCertificateFile /usr/local/shibboleth-idp/etc/idp-newfed.crt
	 SSLCertificateKeyFile /usr/local/shibboleth-idp/etc/idp-newfed.key
	 ErrorLog logs/ssl_error_log
	 TransferLog logs/ssl_access_log
</VirtualHost>
  • No labels