Prerequisites
You have installed Shibboleth Service Provider and configured it with Cornell IDP.
Configuration
Weill Medical has its own Identity Provider with entityID "https://login.weill.cornell.edu/idp".
Open shibboleth2.xml, add Weill Medical IDP's metadata resolver inside <ApplicationDefaults .. > block
Code Block <MetadataProvider type="XML" validate="true" url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-idp.xml" maxRefreshDelay="7200" />
...
- In shibboleth2.xml, find <SSO entityID=..> tag which is inside <Sessions> block and replace it with:
...
Code Block |
---|
<SSO discoveryProtocol="SAMLDS" |
...
discoveryURL=" |
...
https://idselect.idm.cit.cornell.edu/idselect/select.html">SAML2</ |
...
login.aspx is a login page you need to build on your site. You can name it and store it what ever you like. In this example, we name it login.aspx and store it at root of the site.
- Set up a login page on your site that allow user to choose "Cornell NetID" or "Weill Medical ID" to login. The design of the page is totally up to you. Here are ideas of what the page look like:
When user access your site that require authentication, user will be redirected to this login page. The redirect url contains a url parameter "return". Your login page need to get the value of the return parameter, and use it to form the url after use make their login selection.
...
SSO>
|
To avoid name space collision, define REMOTE_USER to use the value of eduPersonPrincipalName
Code Block <ApplicationDefaults entityID="xxxx" REMOTE_USER="eduPersonPrincipalName" ..>
Registration
Weill Medical IDP require SP's metadata registered with InCommon. If you haven't submitted Shibboleth integration request form yet, just mention your site also need to authenticate with Weill Medical IDP in the form. You also need to provide following information as they are required by InCommon:
- Technical Contact Email, Administrative contact email
- SP Display Name
- SP Logo HTTPS URL, Logo width(pixels), Logo width(pixels) - if you don't have your own, we'll use Cornell Logo
- SP Privacy Statement URL - if you don't have your own, we'll use https://www.dfa.cornell.edu/policy/policies/access-information-technology-data-and-monitoring-network-transmissions
If you already submitted Shibboleth integration request form, send your request to idmgmt@cornell.edu. Please provide all the information required above and indicate your SP's entityID.
Once we receive your request, we'll register your SP's metadata with InCommon.
Info |
---|
InCommon require your SP's entityID starts with https:// |
...