Prerequisites
You have followed the instruction of "Install Shibboleth Service Provider(SP) 3.x on Windows and IIS" and configured the site with Cornell IDP.
Configuration
Weill Medical has its own Identity Provider with entityID "https://login.weill.cornell.edu/idp".
Open shibboleth2.xml, add Weill Medical IDP's metadata resolver inside <ApplicationDefaults .. > block
<MetadataProvider type="XML" validate="true" url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-idp.xml" maxRefreshDelay="7200" />In shibboleth2.xml, find <SSO entityID=..> tag which is inside <Sessions> block and replace it with:
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://shibtest.cit.cornell.edu/loginSelection.aspx">SAML2</SSO>
loginSelection.aspx is a page that you'll need to build(see below). You can name it what ever you like and host it on the same server or a different server. In this example, we name it loginSelection.aspx and store it at root of the site https://shibtest.cit.cornell.edu. Make sure your login selection page doesn't require authentication.
- Build login selection page that allow user to choose "Cornell NetID" or "Weill Medical ID" to login. The design of the page is totally up to you. Here is an example:
What's the url should I send user to after use choose the login type?
When user access your site that require authentication, user will be redirected to this login selection page. Here is the example of url to your login selection page: https://shibtest.cit.cornell.edu/loginSelection.aspx?entityID=shibtestsites.cit.cornell.edu&return=https%3A%2F%2Fshibtest.security.cucloud.net%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253Abb98939caf6a03915ab8b6df13e6b5bb21f40bcec0319d0c8735bb5f91adba44
The redirect url contains a url parameter "return". Your login page need to get the value of the return parameter, then append the entityID of the corresponding IDP to that value. That forms the redirect url that you will send user to.
| User Choose | Redirect user to url |
|---|---|
| Cornell NetID | The value of return parameter&entityID=https%3A%2F%2Fshibidp.cit.cornell.edu%2Fidp%2Fshibboleth |
| WeillMedical ID | The value of return parameter&entityID=https%3A%2F%2Flogin.weill.cornell.edu%2Fidp |
Registration
Weill Medical IDP require SP's metadata registered with InCommon. If you haven't submitted Shibboleth integration request form yet, just mention your site also need to authenticate with Weill Medical IDP in the form. You also need to provide following information as they are required by InCommon:
- Technical Contact Email
- SP Display Name
- SP Logo HTTPS URL, Logo width(pixels), Logo width(pixels) - if you don't have your own, we'll use Cornell Logo
- SP Privacy Statement URL - if you don't have your own, we'll use https://www.dfa.cornell.edu/policy/policies/access-information-technology-data-and-monitoring-network-transmissions
If you already submitted Shibboleth integration request form, send your request to idmgmt@cornell.edu. Please provide all the information required above and indicate your SP's entityID.
Once we receive your request, we'll register your SP's metadata with InCommon.
InCommon require your SP's entityID starts with https://