Shibboleth at NC State » Technical Documentation » Advanced SP Configuration » Adding Endpoints to SP Metadata

Adding Endpoints to SP Metadata

Updated Information

As of IdP 2.4.0, we are no longer required to register every handler endpoint for a shared SP. See this document on how to Bypass Endpoint Checks in Metadata.

Previous Information

If you are Sharing an SP Entity among multiple hosts, it may be necessary that you register the handler endpoints for each of those hosts. This information has to be added to your metadata, and that updated metadata must be accepted and published by the federation.

NCSU Federation - no editing required

We will take care of metadata edits for any Service Providers registered in our federation. When you register with the NCSU Federation, you provide us with your base metadata which includes a single set of endpoints. Any time you need to add additional hosts or other special handler paths, send us an email to request the update.

For example, this SP was registered for www.oit.ncsu.edu. It wants to add endpoints for www2.oit.ncsu.edu using either https or http, and for apps.oit.ncsu.edu using https only.

To: shibboleth-help@ncsu.edu
Subject: Additional endpoints for www.oit.ncsu.edu

Please add these endpoints to the metadata for our SP,
entityID = https://www.oit.ncsu.edu/sp/shibboleth

Add:
https://www2.oit.ncsu.edu/Shibboleth.sso
http://www2.oit.ncsu.edu/Shibboleth.sso
https://apps.oit.ncsu.edu/Shibboleth.sso

Once the endpoints have been added and the federation metadata has been republished, you would receive a reply like this.

From: help@ncsu.edu
Subject: Call 1234567: Additional endpoints for www.oit.ncsu.edu

Current endpoints for https://www.oit.ncsu.edu/sp/shibboleth
    https://www.oit.ncsu.edu/Shibboleth.sso
    https://www2.oit.ncsu.edu/Shibboleth.sso
    http://www2.oit.ncsu.edu/Shibboleth.sso
    https://apps.oit.ncsu.edu/Shibboleth.sso

This update has been added to the federation metadata and 
published. Please allow up to four hours for the servers
to load the update.

Managing Your Own Metadata

You may choose to maintain your own metadata if you prefer. You will be responsible for adding your own endpoints and making any other changes that you need for your sites. Whenever you make a change that needs to be published, mail it to us and we will update the federation metadata.

We recommend that you use the metadata generator provided by your SP handler. That handler is usually located at /Shibboleth.sso/Metadata. Use wget or something similar to save the generated metadata to a file that you can edit.

wget -O mysp-metadata.xml https://yourserver.ncsu.edu/Shibboleth.sso

Alternately, you can always download the current NCSU federation metadata file, and then extract your service provider metadata out of the larger file.

Now start editing the file. You can remove the comment warning that this is example data from the top of the file. Look near the bottom of the file to find the AssertionConsumerService Binding tags. These are the endpoints that need to be duplicated for each additional handler that will be sharing this SP Entity. There are usually six bindings for each handler.

<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML2/POST"
    index="1"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" 
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML2/POST-SimpleSign" 
    index="2"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML2/Artifact" 
    index="3"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" 
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML2/ECP" 
    index="4"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML/POST" 
    index="5"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
    Location="https://yourserver.ncsu.edu/Shibboleth.sso/SAML/Artifact" 
    index="6"/>

To add additional endpoints, you need to:

For example, say you wanted to add endpoints for https://apps.yoursever.ncsu.edu/Shibboleth.sso to the list above. That code would look like this:

<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML2/POST"
    index="7"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" 
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML2/POST-SimpleSign" 
    index="8"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML2/Artifact" 
    index="9"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" 
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML2/ECP" 
    index="10"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML/POST" 
    index="11"/>
<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
    Location="https://apps.yourserver.ncsu.edu/Shibboleth.sso/SAML/Artifact" 
    index="12"/>

Obviously this can be generated programmatically. If you ask us to manage endpoints for you, we will use our scripts to do just that.

Once you have made these changes to your metadata file (and perhaps other customizations), put the file on one of your servers where you can provide us with a download URL. Send us an email at shibboleth-help@ncsu.edu to request that we download the latest version from the given URL. We will then update the federation metadata, and republish.