Identity Provider Proxy | Shibboleth Resources

Sample Shibboleth configurations

Enabling Shibboleth Service Provider to consume Cirrus Proxy metadata

To enable a Shibboleth service provider to access the Cirrus Proxy metadata, add an additional MetadataProvider to your shibboleth2.xml configuration file as follows:

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus, and _YOUR_PATH_ with the path to the Cirrus metadata-signing public key -->
<MetadataProvider type="XML" url=""
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/_YOUR_PATH_/metadata-signing.crt"/>

Using a Shibboleth Service Provider with Cirrus Gateway and Cirrus Discovery

If you are using your SP directly with the Cirrus Gateway and not through a proxy, then you may use Cirrus's Discovery Service with your SP

<SSO discoveryProtocol="SAMLDS" discoveryURL="">
        SAML2 SAML1

Using a Shibboleth Service Provider with Cirrus Proxy

If you are using the Cirrus Identity Provider Proxy then you configure the SP to direct all logins to the Proxy.

<SSO entityID="">            
    SAML2 SAML1 

Scope Checking

Shibboleth SP performs scope checking for eduPersonPrincipalName and other scoped attributes. If you are using a Cirrus Proxy then scope checking is performed by the Proxy and the Proxy will pass through scoped attributes from the upstream IdP. If your Shibboleth SP also performs scope checking it may remove these scoped attributes that were asserted from the upstream IdP. You can adjust your shibboleth attribute-policy.xml configuration as shown below.

<afp:AttributeRule attributeID="eppn">
    <!-- Disabling default scope check because proxy may assert eppns from multiple upstream IdPs -->
    <!-- <afp:PermitValueRuleReference ref="ScopingRules"/> -->
    <afp:PermitValueRule xsi:type="ANY"/>