Australian Access Federation Support Desk

How to set up your service provider in multiple federations

by Paul Stepowski Follow

This knowledge base article shows how to set up your service provide in both the AAF and the Tuakiri federation.  However, the same configuration can be used to join your service provider to multiple federations.

First configure your service provider according to: http://wiki.aaf.edu.au/tech-info/sp-install-guide

 Once you are sure that your service provide is working properly in the AAF, add the various discovery services to your shibboleth.xml

 <SSO
     discoveryProtocol="SAMLDS" discoveryURL="https://ds.test.aaf.edu.au/discovery/DS">
     SAML2 SAML1
  </SSO>

<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>

<!-- manually defined additional DS initiators - without isDefault and with custom IDs and Locations -->
<SessionInitiator type="Chaining" Location="/DS-AAF-TEST" id="DS-AAF-TEST" relayState="cookie">
    <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1" acsIndex="5"/>
    <SessionInitiator type="SAMLDS" URL="https://ds.test.aaf.edu.au/discovery/DS"/>
</SessionInitiator>

<SessionInitiator type="Chaining" Location="/DS-Tuakiri-TEST" id="DS-Tuakiri-TEST" relayState="cookie">
    <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1" acsIndex="5"/>
    <SessionInitiator type="SAMLDS" URL="https://directory.test.tuakiri.ac.nz/ds/DS"/>
</SessionInitiator>

 

Then make sure your service provider has access to the metadata from each federation by editing shibboleth.xml:

 

<MetadataProvider type="XML" uri="http://manager.test.aaf.edu.au/metadata/metadata.aaf.signed.complete.xml"
backingFilePath="metadata.aaf.xml" reloadInterval="3600">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="aaf-metadata-cert.pem"/>
</MetadataProvider>

<MetadataProvider type="XML" uri="https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml"
backingFilePath="metadata.tuakiri-test.xml" reloadInterval="3600">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="tuakiri-test-metadata-cert.pem"/>
</MetadataProvider>

 

Obviously, you'll need to make sure that you download each federation's metadata certificate to your service provider and set the appropriate permissions so your service provider can read it.

Then you need to edit Federation Registy so that your service provider metadata contains endpoints like: 

<EntityDescriptor entityID="https://sp.example.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<dsr:DiscoveryResponse xmlns:dsr="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp.example.org/Shibboleth.sso/Login" index="0" isDefault="true" />
<dsr:DiscoveryResponse xmlns:dsr="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp.example.org/Shibboleth.sso/DS-AAF-TEST" index="1" isDefault="false" />
<dsr:DiscoveryResponse xmlns:dsr="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp.example.org/Shibboleth.sso/DS-Tuakiri-TEST" index="2" isDefault="false" />
</Extensions>

 

Then restart the Shibboleth service and wait for your service provider and the discovery services and IdPs from each federation to download the updated metadata.

You should then be able to authenticate to your service provider using the URLs:

 

https://sp.example.org/Shibboleth.sso/DS-AAF-TEST
https://sp.example.org/Shibboleth.sso/DS-Tuakiri-TEST

 

For the respective federations.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk