Prerequisites
You have installed Shibboleth Service Provider and configured it with Cornell IDP.
Configuration
Weill Medical has its own Identity Provider with entityID "https://login.weill.cornell.edu/idp".
Open shibboleth2.xml, add Weill Medical IDP's metadata resolver inside <ApplicationDefaults .. > block
<MetadataProvider type="XML" validate="true" url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-idp.xml" maxRefreshDelay="7200" />
- In shibboleth2.xml, find <SSO entityID=..> tag which is inside <Sessions> block and replace it with:
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://idselect.idm.cit.cornell.edu/idselect/select.html">SAML2</SSO>
To avoid name space collision, define REMOTE_USER to use the value of eduPersonPrincipalName
<ApplicationDefaults entityID="xxxx" REMOTE_USER="eduPersonPrincipalName" ..>
Registration
Weill Medical IDP require SP's metadata registered with InCommon. If you haven't submitted Shibboleth integration request form yet, just mention your site also need to authenticate with Weill Medical IDP in the form. You also need to provide following information as they are required by InCommon:
- Technical Contact Email, Administrative contact email
- SP Display Name
- SP Logo HTTPS URL, Logo width(pixels), Logo width(pixels) - if you don't have your own, we'll use Cornell Logo
- SP Privacy Statement URL - if you don't have your own, we'll use https://www.dfa.cornell.edu/policy/policies/access-information-technology-data-and-monitoring-network-transmissions
If you already submitted Shibboleth integration request form, send your request to idmgmt@cornell.edu. Please provide all the information required above and indicate your SP's entityID.
Once we receive your request, we'll register your SP's metadata with InCommon.
InCommon require your SP's entityID starts with https://