wiki:SetupSpRelyParty

Version 9 (modified by mshore2@…, 12 years ago) (diff)

--

Shibboleth / Setup SP Relying Party

This page documents how to setup an SP's relying party configuration in the IdP. Note that if an SP is a member of the InCommon? Federation (and presumably any other federations we may join) it is not necessary to configure their metadata into our IdP. The only local configuration required is attribute release. When SP metadata configuration is required, use the following procedure:

  1. Check out the conf and metadata directories from the shib-svn repository.
    john@fearless:~/Junk$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf
    A    conf/service.xml
    ...
    A    conf/login.config
    Checked out revision 1.
    john@fearless:~/Junk$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/metadata
    A    metadata/dauntless-metadata.xml
    ...
    A    metadata/unicorn3-metadata.xml
    Checked out revision 1.
    
  1. Add the SP's metadata to the shib-svn repository in the shib-svn/idp/metadata directory.
    john@fearless:~/Junk$ cp /tmp/idmt-1-metadata.xml metadata/
    john@fearless:~/Junk$ svn add metadata/idmt-1-metadata.xml 
    A         metadata/idmt-1-metadata.xml
    
  1. Add a stanza in the relying-party.xml config file to import the SP's metadata.
    john@fearless:~/Junk$ vi conf/relying-party.xml
    ...
             <!-- idmt-1.alaska.edu metadata -->
            <MetadataProvider id="idmt-1.alaska.edu" xsi:type="ResourceBackedMetadataProvider"
                xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataResource xsi:type="resource:FilesystemResource"
                    file="/opt/shibboleth-idp/metadata/idmt-1-metadata.xml" />
            </MetadataProvider>
    ...
    :wq!
    
  1. Commit the new metadata file and the changed relying-party.xml file into the shib-svn repository.
    john@fearless:~/Junk$ svn commit metadata/ -m "Added metadata from SP idmt-1"
    john@fearless:~/Junk$ svn commit conf/ -m "Added relying party config for SP idmt-1"
    
  1. Test and update the Shibboleth IdPs with the Test IdP Config Change procedure.

References:

Attachments