...
| Code Block | ||
|---|---|---|
| ||
shibd.exe -check |
If the last line of the output is the following message, everything is as expected:
"overall configuration is loadable, check console fornon-fatal problems"If there is error, check log for detail. All the log files are in SP installation directory\var\log\shibboleth
4. Install X509 Certificate
As Shibboleth requires a certificate and key to encrypt and decrypt attribute assertions, an X509 certificate must be installed for it to work. Now that the shibboleth2.xml file has been updated, use the keygen.bat command in C:\opt\shibboleth-sp\etc\shibboleth to create new certificates with the hostname(server name) and entityID. Use the following format:
| Code Block | ||
|---|---|---|
| ||
keygen.bat -h idmwebserver.cit.cornell.edu -e entityID -y number of years to issue |
where the values for each are substituted accordingly
| Code Block | ||
|---|---|---|
| ||
keygen.bat -h idmwebserver.cit.cornell.edu -e shibtestsites.cit.cornell.edu -y 10 |
The 10 indicates the number of years for which the certificate is issued. You may specify a different value.
...
5. Get SP metadata
...
Restart IIS and the Shibboleth Daemon. The Shibboleth Daemon can be restarted using the Administrative Tools > Services navigation.
...
Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it
...
.
...
Open your downloaded file with text editor. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in IIS require Shibboleth authentication and you define them in shibboleth2.xml, you need to manually add consumer service url for each site in your SP's metadata.
For example, I get my SP's metadata from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata, in the metadata there should be a line like this:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>
I also have shibtest1.cit.cornell.edu defined in shibboleth2.xml, I need to add AssertionConsumerService url for shibtest1.cit.cornell.edu like this
...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest1.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>
Save your metadata file. You'll need to submit your SP's metadata in shibboleth integration request form.
Register Service Provider with Cornell Identity Provider
If your site is configured with test IDP, you don't have to submit Shibboleth integration request form because test IDP supports anonymous SP. You can start testing the authentication of your site.
For sites configured with prod IDP, submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of request form, select 'No' for question "Has the application service provider's metadata been published with InCommon?". Use text editor open your SP's metadata, copy the content of the metadata and paste it in the request form.Once the form is submitted, Identity Management get a Remedy case. We'll configure your SP in prod IDP in 1 - 2 business day. We'll notify you when the configuration is complete.
Test SP integration with IdP
Confirm that you are able to log in with your netID and that attributes are properly released.
- Using a web browser, visit the /secure directory (or other protected location) of your SP.
- If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
- After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session. Your browser should return a status page that show you all the attributes and values released to your SP.
...