</Host>
</RequestMap>
</RequestMapper>
In the Session entity set the attributes handler=SSL and cookieProps="https". checkAddress can be set to true if you want to check the IP at login time (can be problematic by proxies)
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact"> |
Replace the line <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> with the following code to add information about your Service Provider
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"> <mdui:UIInfo> <mdui:DisplayName xml:lang="de">Beispiel SP</mdui:DisplayName> <mdui:DisplayName xml:lang="en">Example SP</mdui:DisplayName> <mdui:Description xml:lang="de">Eine Beschreibung für den SP</mdui:Description> <mdui:Description xml:lang="en">An description for the SP</mdui:Description> </mdui:UIInfo> <md:Organization> <md:OrganizationName xml:lang="de">RWTH Aachen University</md:OrganizationName> <md:OrganizationName xml:lang="en">RWTH Aachen University</md:OrganizationName> <md:OrganizationDisplayName xml:lang="de">RWTH Aachen University</md:OrganizationDisplayName> <md:OrganizationDisplayName xml:lang="en">RWTH Aachen University</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="de">http://www.rwth-aachen.de</md:OrganizationURL> <md:OrganizationURL xml:lang="en">http://www.rwth-aachen.de</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="support"> <md:GivenName>Support</md:GivenName> <md:SurName>Adresse</md:SurName> <md:EmailAddress>support@sp.example.com</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="technical"> <md:GivenName>Technischer</md:GivenName> <md:SurName>Ansprechpartner</md:SurName> <md:EmailAddress>technik@sp.example.com</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="administrative"> <md:GivenName>Adminstrativer</md:GivenName> <md:SurName>Ansprechpartner</md:SurName> <md:EmailAddress>admin@sp.example.com</md:EmailAddress> </md:ContactPerson> </Handler> |
Please replace the text with your information.
add standard metadata provider
<MetadataProvider type="Chaining"> <!-- RWTH Aachen Metadaten --> <MetadataProvider type="XML" url="https://sso.rwth-aachen.de/metadata/rwth.metadata.xml" backingFilePath="rwth.metadata.xml" reloadInterval="7200"> <MetadataFilter type=Signature" certificate="/pfad/zu/sso.pem"/> </MetadataProvider> </MetadataProvider> |
|
Before the closing </ApplicationDefaults> add the following
<ApplicationOverride id="app" entityID="https://sp.example.com/app"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/app/Shibboleth.sso" handlerSSL="true" cookieProps="https"> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" relayState="cookie" entityID="https://login.rz.rwth-aachen.de/shibboleth"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5" /> </SessionInitiator> </Sessions> </ApplicationOverride> |
Add the certificates in the CredentialResolver for signing and encryption of SAML data
<CredentialResolver type="File" key="/Pfad/zum/Private/Key.pem" certificate="/Pfad/zum/Zertifikat.pem"/> |
Test if the configuration is loadable
shibd -t |
With RHEL based systems (centOS etc) the LD_LIBRARY_PATH must be extended before: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/
Restart the shibboleth service provider
systemctl restart shibd |