The Identity Management team here @ the U has done a great Job rolling out the new Shibboleth (a SAML based SSO solution) system.
I added quite a bit of documentation to https://wiki.umn.edu/ShibAuth to help people migrate, but I thought I'd clarify a few points that seem to get lost in the clutter.
An entityId is a way to group web applications that need to access the same set of Metadata. What?!? If you have one, two, four, or twenty web servers that only need one attribute exposed (let's say username), then you only need one entityId for that group of servers.
You need one Metadata XML file for each entity. If you read the above statement, that means that if you have multiple web apps / web servers using the same entityId, then every singe one of those servers needs to have an entry in your metadata file.
That means if you have 10 servers using 1 entity, you'll need 1 metadata file with 1 Public SSL cert in it (listed twice...) and 1 contact info section, and then 10 sets of service listings.
I think a single set of service listings for me has 10 different entries. I think you can get away with less if you want, but that still means ~100 lines of service listings for 10 servers.
I hope this clarifies things for you when you're setting up your Shibboleth implementations! If not, drop an email to the IDM team. They'll help you out!
Leave a comment