You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Prerequisites

You have followed the instruction of "Install Shibboleth Service Provider(SP) 3.x on Windows and IIS" and configured the site with Cornell IDP.

Follow the instruction here to allow both Cornell NetID user and Weill Medical ID user to login to your site:

  • In shibboleth2.xml, add Weill Medical IDP's metadata resolver inside <ApplicationDefaults .. > block
    <MetadataProvider type="XML" validate="true"
                    url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php"
                   backingFilePath="weill-idp.xml" maxRefreshDelay="7200" />

     Add Cornell IDP's metadata resolver if it is not defined yet
     <MetadataProvider type="XML" validate="true"
                    url="https://shibidp.cit.cornell.edu/idp/shibboleth"
                  backingFilePath="cornell-idp.xml" maxRefreshDelay="7200" />

  • In shibboleth2.xml, find <SSO ..> tag which is inside <Sessions> block and replace it with:

          <SSO discoveryProtocol="SAMLDS"  discoveryURL="https://shibtest.cit.cornell.edu/login.aspx">SAML2</SSO>

         login.aspx is a login page you need to build(see below). You can name it what ever you like and host it on the same server or different server. In this example, we name it login.aspx and store it at root of the site https://shibtest.cit.cornell.edu.

  • Set up login page that allow user to choose "Cornell NetID" or "Weill Medical ID" to login. The design of the page is totally up to you. Here are ideas of what the page look like:

 

When user access your site that require authentication, user will be redirected to this login page. Here is the example of redirect url: https://shibtest.cit.cornell.edu/login.aspx?entityID=shibtestsites.cit.cornell.edu&return=https%3A%2F%2Fshibtest.security.cucloud.net%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253Abb98939caf6a03915ab8b6df13e6b5bb21f40bcec0319d0c8735bb5f91adba44

The redirect url contains a url parameter "return". Your login page need to get the value of the return parameter, and use it to form rediect url after use make their login selection.

User ChooseRedirect user to url
Cornell NetIDThe value of return parameter&entityID=https%3A%2F%2Fshibidp.cit.cornell.edu%2Fidp%2Fshibboleth
WeillMedical IDThe value of return parameter&entityID=https%3A%2F%2Flogin.weill.cornell.edu%2Fidp

 

 

 

  • No labels