When integrating your website with Shibboleth, you will need to submit a Shibboleth integration request form. After IDM receive the request, your SP's metadata will be configured in Cornell Identity Provider(IDP). It may take as long as one business for IDM to complete your request. Before your SP's metadata is loaded in IDP, shibboleth authentication won't work. To avoid the long down time of your production website, we recommend you make the transition in two steps and do it during maintenance hours. - Prepare your Windows server for Shibboleth authentication: Follow our instruction to install and configure shibboleth SP. After you get your SP's metadata, copy shibboleth2.xml to shibboleth2-good.xml. Then edit shibboleth2.xml, comment out all your Site define inside <ISAPI > block, save the file. Restart shibboleth daemon and IIS server. This change will disable shibboleth authentication for your site. Submit your shibboleth integration request.
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<! – <Site id="1" name="shibtest1.cit.cornell.edu"/ > -->
<! – <Site id="2" name="shibtest2.cit.cornell.edu"/ > →
</ISAPI>
- After IDM load your SP's metadata in IDP, go back to your server. Copy shibboleth2-good.xml to shibboleth.xml. Restart shibboleth daemon and IIS. Close all your browsers to clear SSO credential. Test your website's authentication. Make sure shibboleth authentication works by checking the weblogin url when prompted for netID/password. The url should have url parameter WAK0Service=https/shibidp.cit.cornell.edu@CIT.CORNELL.EDU in it. Then finish the login process. Once you see successful login, you can delete CUWebAuth config from IIS handler mapping. Then restart IIS.
| 
