Dual IdP System

Young, Darren Darren.Young at chicagobooth.edu
Mon May 18 19:13:08 EDT 2015

Qw have a Windows 2008R2 machine that currently works with one IdP and
we¹re trying to test it against another one. For this I¹d like to use the
manual/static html local discovery in the SP and just type in the EntityID
for the IdP we want to hit. If I can get one working then I¹ll move on to
getting the SP in the other IdP and troubleshoot that. This is just a POC
of the 2 IdP hence the static html disco for now.

The SP is version 2.5.3 and lives at /Shibboleth.SSO, the IIS side is
working against the IdP we started with (uchicago).

The IIS site config in the SP is protecting the /secure path on the
machine and with one IdP hitting /secure/landing.aspx does what it¹s
supposed to do, sends you to the IdP login the you come back.

The shibboleth2.xml file used to have an <SSO> entry for that one IdP:

<SSO entityID="urn:mace:incommon:uchicago.edu">

I replaced that with the following:

<!-- IdP chooser -->
			<SessionInitiator type="Chaining" id=³idpchooser"
  <SessionInitiator type="SAML2"
  <SessionInitiator type="Form"

The discoveryTemplate.html file is out of the box, as is the
bindingTemplate.html file.

I also added this to the shibboleth2.xml file:

<!-- LogoutInitiators enable SP-initiated local or global/single logout of
sessions. -->
            <LogoutInitiator type="Chaining" Location="/Logout"
  <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
  <LogoutInitiator type="Local"/>

And added legacyOrgNames=³true² to the MetadataProvider in it.

Restart and I hit /secure/landing.aspx and I see the contents of the
discoveryTemplate.html page with the box to enter the EntityID in, I put
in urn:mace:uncommon:uchicago.edu and I get a 500 error from what appears
to be IIS (not the SP). Tried urldecode on the string as well just in case
it wasn¹t protected somewhere, same results.

I cranked the nativesp logs up to debug and didn¹t see anything of value
in there, the URL that tosses the 500 after I hit the ŒSubmit¹ button is


What did I miss in my config? I was expecting to see the uchicago IdP
login page after I hit submit.


Darren Young
Systems & Security Architect
Information Technology
The University of Chicago
Booth School of Business
5807 South Woodlawn Ave
Chicago, Illinois 60637
Tel: 773.702.0331

More information about the users mailing list