For IT Pros This page provides additional information on how to configure your Shibboleth installation in order to restrict access to members of the University of Illinois.
You want to use Shibboleth to restrict access to members of the University of Illinois, and not allow access by members of other universities.
At this point, you should have completed steps 1 through 5 in Shibboleth, Setting up a Service Provider .
This page explains step 6 (configuration) in more detail.
(If you haven't completed steps 6a.1 and 6a.2 yet:)
Open your localized shibboleth2.xml in a text editor and make the following changes.
In the line:
<ApplicationDefaults entityID="https://host.name.illinois.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">:
https://host.name.illinois.edu/shibboleth
with the entity ID you chose previously.In the line:
<Errors supportContact="someone@somewhere.com"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
someone@somewhere.com
with the appropriate support email address for services on this server./about.html
with the path to your help pages./shibboleth-sp/main.css
with the path to the CSS file used for your Shibboleth error templates, if any.In the section that says:
<!--
Below setting will use Urbana campus
IDP only.
-->
<SSO entityID="urn:mace:incommon:uiuc.edu">
<SSO entityID="">
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://discovery.illinois.edu/discovery/DS">
In the metadata filter section that says:
<MetadataFilter type="Include">
<Include>urn:mace:incommon:uiuc.edu</Include>
</MetadataFilter>
The default configuration includes only the Urbana campus. In order to add the Springfield and Chicago campuses, you should add the following two lines before the closing of the MetadataFilter tag:
<Include>https://shibboleth.uic.edu/shibboleth</Include>
<Include>https://uisshibb1.uis.edu/idp/shibboleth</Include>
This copy of shibboleth2.xml is configured to restrict access to members of the University of Illinois, meaning that if someone tries to log in through a different IDP, the sessionError.html template will be returned to that person. You may want to customize that file to suit your site's look and feel.
Place the localized attribute-map.xml in the same directory as shibboleth2.xml.
(By default, this file contains attribute definitions for all of the attributes supported by the UIUC identity provider, but they're all commented out.)
If you want to determine which of the three campuses a person belongs to, you'll be interested in the eduPersonPrincipalName attribute.
The use of eduPersonPrincipalName is highly recommended for federated applications, while uid is not recommended. That's because two different people can have the same NetID or uid at two different institutions, but when you scope it (add@campus.edu) to the end of it, the identifier becomes unique.
Download https://md.itrust.illinois.edu/itrust-certs/itrust.pem and place it in the same directory as shibboleth2.xml.
This certificate is used to sign the I-Trust metadata. The signature validation metadata filter in your shibboleth2.xml references this file and tells Shibboleth to validate the signature on the I-Trust metadata whenever it downloads a new version.
Next, continue from step 7 (restart and registration) in Shibboleth, Setting up a Service Provider .