Shibbolet SP/iDP and ADFS 2.0 iDP to protect web pages

Renzo De Renzi renzos at
Wed Aug 8 03:10:50 EDT 2012

Hi, I've a Centos 6.3 machine with working Shibboleth SP and iDP protecting 2 folders (/secure1 and /secure2) based on LDAP authentication. The Location tags of the shib.conf file look as follows:

<Location /secure1>
  AuthType shibboleth
  ShibRequestSetting requireSession true
  ShibExportAssertion On
  require uid user1

<Location /secure2>
  AuthType shibboleth
  ShibRequestSetting requireSession true
  ShibExportAssertion On
  require uid user2

Folders simply contain an index.php file that prints out the returned attributes, and everything works fine. Now, for test purposes, I created a third folder "/secure3" I would like to protect with an ADFS 2.0 authentication running on a different machine in the same network. I succesfully exchanged metadatas and logs doesn't show errors on both sides. The shibboleth2.xml file has been edited as follows ( points to the ADFS machine IP):

<!-- ADFS metadata -->
<MetadataProvider type="XML" uri=""
				   backingFilePath="federation-metadata.xml" reloadInterval="7200"/>

<!-- Locally iDP metadata. -->
<MetadataProvider type="XML" file="idp-metadata.xml"/>

I couldn't understand how to redirect the authentication of that folder to the ADFS 2.0 machine, I imagine it should be managed through the shib.conf and shibboleth2.xml files but I did some tests changing AuthType in shib.conf from "shibboleth" to "adfs" with no success. I worked on the SessionInitiator tag in shibboleth2.xml as well but nothing to do, here how it is now:

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie"
                <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
                <SessionInitiator type="Shib1" defaultACSIndex="5"/>
	        <SessionInitiator type="ADFS" />

Even reading the official documentation it's still not so clear for me the role of the defaultacsindex tag.
Thanks a lot,
Renzo De Renzi

More information about the users mailing list