custom entityID

Les LaCroix llacroix at
Thu Aug 6 17:37:34 UTC 2020


I don't know your circumstances, but I would think that the first answer is
to push back very hard on the SP to figure out how to accept your IdP as it
is.  That's probably the second and third answer, too.

If I had to go the route you are trying, though, I would see if I have
another SAML provider already running for another reason, and maybe that
provider will work for your SP.  For instance, we have an AD FS instance
for apps that the vendor says they need AD FS, and so we do that to play
nice with vendor support.  Google and Azure can be configured as SAML
providers too, and although we haven't

Last resort for me would be to run a completely separate SAML provider.
Maybe it's something designed to be a proxy, or maybe it's just another
Shibboleth IdP instance that may or may not be completely independent from
your main Shibb instance.  I think it'd be easier for the rest of my team
to understand having a separate IdP instance that exists solely to support
a special-needs SP, rather than inserting an obscure configuration option.
Mainstream Shibboleth configuration is already pretty obscure to the rest
of my team.



*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455

On Thu, Aug 6, 2020 at 11:49 AM Donald Lohr <lohrda at> wrote:

> We've the need to use a different certificate for a SP than the default
> one in our IdP metadata. As a result, we made a copy of our IdP metadata
> and replaced the default cert with this new one and configured the
> credentials.xml and relying-party.xml files to use this.
> Also wanting for this SP to be different and not use our default entityID
> value, in that new IdP metadata file, we made a new entityID value.  But
> the SP is reporting that during a user login, we are sending over our
> default entityID.
> Is our goal doable?
> I noticed in the credentials.xml file is:
> *p:entityId-ref="entityID" />*
> Is the entityID here a variable, thus pulling my default value?
> On the Shibboleth wiki, using the search field, searching for
> *entityId-ref* does not return anything for me.
> Thanks,
> Don
> --
> D o n a l d   L o h r
> I n f o r m a t i o n   S y s t e m s
> J a m e s   M a d i s o n   U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list