Prerequisites
You have installed Shibboleth Service Provider and configured it with Cornell IDP.
Configuration
Weill Medical has its own Identity Provider with entityID "https://login.weill.cornell.edu/idp".
Open shibboleth2.xml, add Weill Medical IDP's metadata resolver inside <ApplicationDefaults .. > block
Code Block <MetadataProvider type="XML" validate="true" url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-idp.xml" maxRefreshDelay="7200" />
- In shibboleth2.xml, find <SSO entityID=..> tag which is inside <Sessions> block and replace it with:
| Code Block |
|---|
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://idselect.idm.cit.cornell.edu/idselect/select.html">SAML2</SSO>
|
To avoid name space collision, define REMOTE_USER to use the value of eduPersonPrincipalName
Code Block <ApplicationDefaults entityID="xxxx" REMOTE_USER="eduPersonPrincipalName" ..>
Registration
Weill Medical IDP require SP's metadata registered with InCommon. If you haven't submitted Shibboleth integration request form yet, just mention your site also need to authenticate with Weill Medical IDP in the form. You also need to provide following information as they are required by InCommon:
- Technical Contact Email, Administrative contact email
- SP Display Name
- SP Logo HTTPS URL, Logo width(pixels), Logo width(pixels) - if you don't have your own, we'll use Cornell Logo
- SP Privacy Statement URL - if you don't have your own, we'll use https://www.dfa.cornell.edu/policy/policies/access-information-technology-data-and-monitoring-network-transmissions
If you already submitted Shibboleth integration request form, send your request to idmgmt@cornell.edu. Please provide all the information required above and indicate your SP's entityID.
Once we receive your request, we'll register your SP's metadata with InCommon.
| Info |
|---|
InCommon require your SP's entityID starts with https:// |
Follow the instruction here to allow both Cornell NetID user and Weill Medical ID user to login to your site:
- Set up a webpage on your site that allow user to choose "Cornell NetID" or "Weill Medical ID" to login. The design of the page is up to you. Here are ideas of what the page look like:
...