Dual IdP System

Young, Darren Darren.Young at chicagobooth.edu
Mon May 18 19:13:08 EDT 2015 

Qw have a Windows 2008R2 machine that currently works with one IdP and
we¹re trying to test it against another one. For this I¹d like to use the
manual/static html local discovery in the SP and just type in the EntityID
for the IdP we want to hit. If I can get one working then I¹ll move on to
getting the SP in the other IdP and troubleshoot that. This is just a POC
of the 2 IdP hence the static html disco for now.

The SP is version 2.5.3 and lives at /Shibboleth.SSO, the IIS side is
working against the IdP we started with (uchicago).

The IIS site config in the SP is protecting the /secure path on the
machine and with one IdP hitting /secure/landing.aspx does what it¹s
supposed to do, sends you to the IdP login the you come back.

The shibboleth2.xml file used to have an <SSO> entry for that one IdP:

<SSO entityID="urn:mace:incommon:uchicago.edu">
  SAML2
			</SSO>

I replaced that with the following:

<!-- IdP chooser -->
			<SessionInitiator type="Chaining" id=³idpchooser"
Location="/idpchooser">
  <SessionInitiator type="SAML2"
template="C:\opt\shibboleth-sp\etc\shibboleth\bindingTemplate.html"/>
  <SessionInitiator type="Form"
template="C:\opt\shibboleth-sp\etc\shibboleth\discoveryTemplate.html"/>
			</SessionInitiator>

The discoveryTemplate.html file is out of the box, as is the
bindingTemplate.html file.

I also added this to the shibboleth2.xml file:

<!-- LogoutInitiators enable SP-initiated local or global/single logout of
sessions. -->
            <LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
  <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
  <LogoutInitiator type="Local"/>
            </LogoutInitiator>


And added legacyOrgNames=³true² to the MetadataProvider in it.

Restart and I hit /secure/landing.aspx and I see the contents of the
discoveryTemplate.html page with the box to enter the EntityID in, I put
in urn:mace:uncommon:uchicago.edu and I get a 500 error from what appears
to be IIS (not the SP). Tried urldecode on the string as well just in case
it wasn¹t protected somewhere, same results.

I cranked the nativesp logs up to debug and didn¹t see anything of value
in there, the URL that tosses the 500 after I hit the ŒSubmit¹ button is

https://xxxx.xxxx.edu/Shibboleth.sso/idpchooser?target=ss%3Amem%3A8fc93d010
b34835a04c9208c2f6afcbe4241faab7e5318a9457de092415f6c15&entityID=urn%3Amace
%3Aincommon%3Auchicago.edu


What did I miss in my config? I was expecting to see the uchicago IdP
login page after I hit submit.

Thanks,



Darren Young
Systems & Security Architect
Information Technology
The University of Chicago
Booth School of Business
5807 South Woodlawn Ave
Chicago, Illinois 60637
Tel: 773.702.0331
www.ChicagoBooth.edu
<http://www.chicagobooth.edu/>

More information about the users mailing list