Colorado State University

Login

Shibboleth Service Provider - Additional Features

Modified on: Tue, Jan 7 2025 9:43 AM

Description

This article describes additional features that can be added to enhance your Shibboleth Service Provider.

Contents

Discovery Feed

Service Providers (SPs) that connect to multiple Identity Providers (IdPs) for authentication can use a Discovery Feed to provide a simplified option for users to select their authentication endpoint. Many members of the InCommon Federation host a single website with a discovery service that allows users to select their institution, be redirected to their host institution's Identity Provider, and authenticate into the application. The scope of the CSU System only includes two Identity Providers: Production and Test; a discovery feed can be configured to authenticate through both instances for applications that need to be able to (such as systems that serve to test IdP functionality).


screenshot of Educause's website's discovery service displaying Colorado State University as a selectable option.EduCause website's Discovery Service

IdP Metadata

The Shibboleth SP needs to have a MetadataProvider element for each IdP that should appear in the Discovery Feed

  1. In the application server, open shibboleth2.xml in a text editor
    1. IIS: C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
    2. Linux: /etc/shibboleth/shibboleth2.xml
  2. Include MetadataProvider elements for each required IdP
    •         <!-- CSU System TEST Metadata -->  
        <MetadataProvider type="XML" url="https://shibidptest.colostate.edu/idp/shibboleth"
                          backingFilePath="c:\opt\shibboleth-sp\etc\shibboleth\shibidptest-metadata.xml" reloadInterval="7200">            
        </MetadataProvider>

        <!-- CSU Federation PROD Metadata -->        
        <MetadataProvider type="XML" url="https://csufederation.acns.colostate.edu/csufederation-metadata.xml"
              backingFilePath="c:\opt\shibboleth-sp\etc\shibboleth\csufederation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="C:\opt\shibboleth-sp\etc\shibboleth\csufederation-metadata-cert.pem" verifyBackup="false"/>
            <MetadataFilter type="Include"> 
                <Include>https://shibidp.colostate.edu/idp/shibboleth</Include>
            </MetadataFilter>
        </MetadataProvider>
      XML


  3. Save
  4. Do not yet restart shibboleth service

DiscoFeed Handler


  1. In shibboleth2.xml, locate the Handler elements (should be near bottom of file)
    1. Confirm the DiscoveryFeed Handler is listed (not commented-out)
      •             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <!-- acl="129.82.xxx.xxx 127.0.0.1 ::1"-->
            <Handler type="Status" Location="/Status"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        XML


    2. Save
    3. Do not yet restart shibboleth service

discovery.html files

  1. Attached to this article is a zipped folder discovery.zip. Download this .zip and transfer it to your web server's web home (e.g. C:\web)
  2. Unzip the attachment discovery.zip in your web home. The following files/folders should be contained in your web home
    • css/idpselect.css
    • js/
      • idpselect.js
      • idpselect_config.js
    • discovery.html
    • discovery.php
  3. These include basic templates - customize and rebrand to suit your application after functionality is tested
  4. Save
  5. Do not yet restart shibboleth service

SSO tag

  1. In shibboleth2.xml, locate the Handler elements (should be near top of file)
    1. Update the SSO tag (which points to a specific IdP's entityID) with the SSO discoveryProtocol
      •              <!-- CSU-FoCo TEST IdP -->
<!--       <SSO entityID="https://shibidptest.colostate.edu/idp/shibboleth">
              SAML2
            </SSO> -->

            <!-- SSO Discovery Service ON/Off -->
            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://shibspwintest.colostate.edu/discovery.html">
              SAML2
            </SSO>
        XML


      •  If you decide to rename the discovery.html file in your web-home, you must also include that filename, here in the SSO tag
    2. Save
    3. Restart the Shibboleth Daemon
      1. IIS: Services > Shibboleth Daemon > Right-Click > Restart
      2. Linux: systemctl restart shibd
    4. Restart your web application
      1. IIS: Internet Information Services (IIS) Manager > <application> > Restart

Duo MFA

Duo is the CSU System selected tool for multi-factor authentication (MFA or 2FA). Learn more about Duo Two-Factor Authentication


Single Sign-On (SSO) can be configured to work with Duo as a second authentication factor that follows username and password. DUO can be configured to operate with SSO from either the Service Provider (SP) or Identity Provider (IdP), but it is recommended that CSU Shibboleth SPs requiring DUO be configured in the SP (and not the IdP). 


NOTE: before adding Duo to your Shibboleth SP, it is advised you notify users and stakeholders.


  1. To start adding Duo to your application's Shibboleth SP, open shibboleth2.xml in a text editor 
    • Windows/IIS: C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
    • Linux: /etc/shibboleth/shibboleth2.xml
  2. Locate the SSO element in the Sessions tag
    1. Add authnContextClassRef="http://colostate.edu/mfa" anywhere in the SSO tag
      •             <!-- SSO Discovery Feed with Duo MFA example -->
            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://yourwebsite.colostate.edu/discovery.html" authnContextClassRef="http://colostate.edu/mfa" forceAuthn="true" >
              SAML2
            </SSO>
        XML


  3. Save
  4. Restart shibboleth to enable Duo MFA
    • Windows/IIS: Services > Shibboleth Daemon > Right-click > Restart
    • Linux: systemctl restart shibd
  5. Test in a browser (private/incognito window)
    • Review your Shibboleth SP logs if Duo does not prompt

Further Reading

1 Attachment (Scanned for viruses)

(13.2 KB)
Click here to download discovery.zip Click here to download discovery.zip
discovery.zip is loading
Was this answer helpful?