• IT@UC Knowledge Base

 Shibboleth IdM: Setting up a UC Service Provider

 Guide for setting up an internal Shibboleth service provider.

Shibboleth IdM: Setting up a UC Service Provider

 Guide for setting up an internal Shibboleth service provider.

This is a guide for setting up an internal service provider for applications that wish to authentication with the Shibboleth IDP on https://login.uc.edu. It contains configuration examples and general recommendations. Different departments may need to adjust these settings for their own needs. Please read over the general installation documentation for the Shibboleth Service Provider located at http://shibboleth.internet2.edu. Once you have gone through the process of setting up the Win32 or Win64 Shibboleth Service Provider (SP) installation and configured the ISAPI filter, all that should need to be done is add our configuration files, modified to the needs of your particular server.


Shibboleth Official Wiki 



Shibboleth Service Provider Official Installation Documentation 

Install on Linux:


Install on Windows:



UC Configuration Package

The following is a basic configuration package containing only the files we modify for our Shibboleth-SP installation on a windows environment . For the advanced user, this should be all that is necessary to setup an SP. Be sure to adjust all the "example.uc.edu" URLs in the shibboleth2.xml to the DNS name of your particular service provider. A virtual directory must also be added called "/shibboleth-sp" pointing to C:\opt\shibboleth-sp\doc to ensure the LogOut image and stylesheet appear correctly. Please note the LogOut logo is for UC so if you are running an external service provider, you may wish to modify this with the logo for your organization.

The file
UC-Shibboleth-sp.example.zip contains the following:


Maps the header values to values readable by your code.


A logout page with a UC image and style.

etc/shib service restart.bat

A batch file to restart the Windows Shibboleth 2 Daemon Service. Some changes require a Service restart

The main configuration file for Shibboleth


A batch file that validates your Shibboleth configurations. This should always be run after making changes


Stylesheet for the local LogOut page

Image for the local LogOut page


Shibboleth.xml Primary Configuration Files


The following is the example shibboleth2.xml found in the configuration examples above.

Things to customize:

  The Site ID in the ISAPI section should match the Site ID specified for the site in IIS
  The Host in the request mapper should match the DNS name of the application server
  Path elements indicate which URL patterns are secured by Shibboleth. Subpaths can also be excluded.
   See the official Shibboleth documentation for more information
  The Entity ID is a unique identifier for the Service Provider. Please use the format of "https://example.uc.edu" as your Entity
    ID, changing "example" to your subdomain
  Session lifetime should be adjusted per your SP's requirements
  The Backing File path may need to be changed if you did not use the default installation location
  The following example sets the backingFilePath to the folder "C:\opt\shibboleth-sp\metadata" which must be created if it   
   does not exist


<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">

<InProcess logger="native.logger">
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="2" name="example.uc.edu"/>




                   <RequestMapper type="Native">


<Host name="example.uc.edu" scheme="https">

<Path name="secure" authType="shibboleth" requireSession="true"/>

         <Path name="someApp" authType="shibboleth" requireSession="true"/>




<ApplicationDefaults entityID="https://example.uc.edu" REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https">

<SSO entityID="https://login.uc.edu/idp/shibboleth"> SAML2 SAML1</SSO>


<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>

<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
          <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl=""/>

<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>

<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>


<Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/uc_logo.gif" styleSheet="/shibboleth-sp/main.css"/>


<MetadataProvider type="Chaining">

<MetadataProvider type="XML" uri="https://login.uc.edu/idp/profile/Metadata/SAML"

backingFilePath="C:\opt\shibboleth-sp\metadata\login-metadata.xml" reloadInterval="7200">




<!-- Map to extract attributes from SAML assertions. -->

<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>


<!-- Use a SAML query if no attributes are supplied during SSO. -->

<AttributeResolver type="Query" subjectMatch="true"/>

<!-- Default filtering policy for recognized attributes, lets other data pass. -->

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>


<!-- Simple file-based resolver for using a single keypair. -->

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>




<!-- Policies that determine how to process and authenticate runtime messages. -->

<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

 <!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>



Adding SP Metadata


Note: In a clustered or load balanced environment where several servers server web content and applications, the keys (sp-cert.pem and sp-key.pem located in the C:\opt\shibboleth-sp\etc\shibboleth directory by default) must be the same on every server in the cluster or farm. Failure to do so will cause authentication to work with only one server. This will result in what will look like random login failures.


Once you've established a service provider, the University of Cincinnati must add your SP metadata URL to our Identity Provider (unless you are an InCommon member and are using your InCommon metadata. Your SP should be able to pull UC's metadata from the URL specified in the above shibboleth2.xml file. After adding your SPs metadata to our IDP and reloading it, the exchange will be complete allowing for a Federated Sign-on between the two systems.


Custom Local Logout Page

Be sure to add a virtual directory for the /shibboleth-sp path to display images and style sheets needed for the local logout page. This page can be customized with the localLogout.html in the etc directory.  If you are shibbolizing the root site, then be sure to add an exception so that /shibboleth-sp is excluded from authentication. The example is below.  It is recommended to leave in a statement indicating the user should close out his or her web browser after logging out, especially on public or shared computers.


<RequestMapper type="Native">

<Host name="example.uc.edu" scheme="https" authType="shibboleth" requireSession="true">

<Path name="shibboleth-sp" requireSession="false"/>




Rate this article - 1 to 5 Stars
Note: you must be signed in to use this feature