How to Connect to a Shibboleth Test Environment
- Warren Leung
- Christopher J Peters (Unlicensed)
Please follow the steps below to connect your test application to the Shibboleth Test Environment.
Step 1: Determine what type of SAML product you are running
Depending on how you integrate with Shibboleth, the steps for configuration will be different. Typically home grown applications run the Shibboleth Service Provider. Most cloud vendors or SaaS solutions will implement the SAML protocol separately.
Note: Please only perform this in your application test environment and not in production. These changes will only work if your test application is already configured with UCI's Shibboleth IDP. Please complete a Shibboleth Configuration Request if you would like to register your test application.
Check for existence of Shibboleth SP software
To determine if your application is running the Shibboleth SP, please performing the following:
Linux
- Does the default install directory /etc/shibboleth exist?
- Is the shibd process running?
If the answer is yes to both, please move own to Option 1. If not, please move to Option 2.
Windows
- Does the default install directory C:\opt\shibboleth-sp\etc\shibboleth exist?
- Does the Shibboleth SP appear in your Services Management Window?
If the answer is yes to both, please move own to Option 1. If not, please move to Option 2
Step 2: Configuring your SAML SP
Option 1: Shibboleth SP Software
Download the Shibboleth Test Environment Metadata
Download the Shibboleth Test Metadata and place it in your shibboleth home directory (/etc/shibboleth or C:\opt\shibboleth-sp\etc\shibboleth).
Update the entityID configuration in your shibboleth2.xml
In your shibboleth2.xml, which is located in your shibboleth home directory there should be a section that looks similar to the below.
<SSO entityID="urn:mace:incommon:uci.edu">
SAML2
</SSO>
If the value of entityID is not "urn:mace:incommon:uci.edu" please go ahead and update that value.
Update the metadata configuration in your shibboleth2.xml
In your shibboleth2.xml, which is located in your shibboleth home directory there should be a section that looks similar to the below.
<MetadataProvider type="XML" validate="true"
url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml"
backingFilePath="InCommon-metadata-idp-only.xml" maxRefreshDelay="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="inc-md-cert.pem" verifyBackup="false"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
Comment the code block out and add the following and save your file
<MetadataProvider type="XML" validate="true" path="metadata.xml"/>
Restart Shibboleth
Restart your Shibboleth process
Test your application
Navigate to your test application and attempt to login. You should be at https://login2.uci.edu.
Option 2: Configuring your Cloud/SaaS product using SAML
Please note that these steps are generic as all Cloud/SaaS solution configurations are slightly different.
Update your entityID
If the value of entityID is not "urn:mace:incommon:uci.edu" please go ahead and update that value.
Update your Shibboleth Metadata
Download the Shibboleth Test Metadata and replace the existing metadata file in your Cloud/SaaS SAML configuration.
Update your endpoints
If your Cloud/SaaS SAML configuration has references to https://shib.service.uci.edu/idp/profile/SAML2/POST/SSO or https://shib.service.uci.edu/idp/profile/SAML2/Redirect/SSO, please replace them with https://shib-staging.service.uci.edu/idp/profile/SAML2/POST/SSO or https://shib-staging.service.uci.edu/idp/profile/SAML2/Redirect/SSO
Test your application
Navigate to your test application and attempt to login. You should be at https://login2.uci.edu.