Dual IdP System
Darren.Young at chicagobooth.edu
Mon May 18 19:13:08 EDT 2015
Qw have a Windows 2008R2 machine that currently works with one IdP and
we¹re trying to test it against another one. For this I¹d like to use the
manual/static html local discovery in the SP and just type in the EntityID
for the IdP we want to hit. If I can get one working then I¹ll move on to
getting the SP in the other IdP and troubleshoot that. This is just a POC
of the 2 IdP hence the static html disco for now.
The SP is version 2.5.3 and lives at /Shibboleth.SSO, the IIS side is
working against the IdP we started with (uchicago).
The IIS site config in the SP is protecting the /secure path on the
machine and with one IdP hitting /secure/landing.aspx does what it¹s
supposed to do, sends you to the IdP login the you come back.
The shibboleth2.xml file used to have an <SSO> entry for that one IdP:
I replaced that with the following:
<!-- IdP chooser -->
<SessionInitiator type="Chaining" id=³idpchooser"
The discoveryTemplate.html file is out of the box, as is the
I also added this to the shibboleth2.xml file:
<!-- LogoutInitiators enable SP-initiated local or global/single logout of
<LogoutInitiator type="Chaining" Location="/Logout"
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
And added legacyOrgNames=³true² to the MetadataProvider in it.
Restart and I hit /secure/landing.aspx and I see the contents of the
discoveryTemplate.html page with the box to enter the EntityID in, I put
in urn:mace:uncommon:uchicago.edu and I get a 500 error from what appears
to be IIS (not the SP). Tried urldecode on the string as well just in case
it wasn¹t protected somewhere, same results.
I cranked the nativesp logs up to debug and didn¹t see anything of value
in there, the URL that tosses the 500 after I hit the ŒSubmit¹ button is
What did I miss in my config? I was expecting to see the uchicago IdP
login page after I hit submit.
Systems & Security Architect
The University of Chicago
Booth School of Business
5807 South Woodlawn Ave
Chicago, Illinois 60637
More information about the users