Shibboleth at NC State » Technical Documentation » IdP Version 3 Upgrade » Using IdP Test2 Servers

Using IdP Test2 Servers

We have a pair of new IdP servers setup for testing Shibboleth logins using the IdP version 3 software. These servers are:

• Test IdP2 Faculty/Staff/Students

  • entityID = https://idpt2.shib.ncsu.edu/idp/shibboleth
  • hostname = idpt2.shib.ncsu.edu
  • login databases = production WolfTech AD / Affiliates AD

• Test IdP2 Parents/Guests

  • entityID = https://affilt2.shib.ncsu.edu/idp/shibboleth
  • hostname = affilt2.shib.ncsu.edu
  • login database = production Parent tree on Affiliates AD

Metadata

The metadata for both of these servers is published in the NCSU Federation metadata published via our Federation Metadata Page.

Your SP should already be configured to use NCSU Federation metadata, in which case you have the new entries in place. If you need help configuring your SP to load our metadata, see How to load NCSU Federation Metadata.

The individual metadata entries may be downloaded separately from the Federation Metadata Page if you need them. One-time downloads are not recommended because you will not get updates, and there is no signature verification of the data that you use.

Using Test2 for All SP Logins

Configure your SP via /etc/shibboleth/shibboleth2.xml to default to one of the entityID's given above. This is described in the Service Provider Configuration document, in the section called Configure shibboleth.xml. There we set the default Identity Provider to our production IdP. Change that entity to the one of the test entityID's as needed. Remember to restart your shibd and webserver processes after making the change.

Using Login Links

Our Unity Login test service and Parent Login test service demos use lazy sessions with direct login links for each of the IdPs that they use.

The Unity test login URL looks like this: https://docs.shib.ncsu.edu/Shibboleth.sso/Login?entityID=https://idpt2.shib.ncsu.edu/idp/shibboleth&target=https://docs.shib.ncsu.edu/v3t2sp/unity.php

To construct a URL for your own service you will need to change these parts:

• Change the leading "https://docs.shib.ncsu.edu" to the correct URL where your site and SP server are running.
• Leave the "entityID=..." set as given.
• Change the "target=..." to the correct URL for the page that you want to return to after authentication.

When a user clicks on that link, they will go to the SP handler on your server. It will setup a SAML initialization message and send them to the IdP given by the entityID. When the IdP returns them to the SP handler, it will establish the SP session and return the user to the page given.

The Parent test login URL is the same, except that the entityID has been changed: https://docs.shib.ncsu.edu/Shibboleth.sso/Login?entityID=https://affilt2.shib.ncsu.edu/idp/shibboleth&target=https://docs.shib.ncsu.edu/v3t2sp/parent.php

The same changes need to be made to customize this URL for your service.

Parent Pass-Through Logins

Our Parent/Other system also supports a set of specific login IDs that will authenticate automatically without requiring the user to provide a password. These links are found on the Parent Login test service demo, and they are listed here:

• webapplicant: https://docs.shib.ncsu.edu/Shibboleth.sso/Login?entityID=https://affilt2.shib.ncsu.edu/idp/shibboleth&authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:webapplicant&target=https://docs.shib.ncsu.edu/v3t2sp/parent.php
• webapplicantdvm: https://docs.shib.ncsu.edu/Shibboleth.sso/Login?entityID=https://affilt2.shib.ncsu.edu/idp/shibboleth&authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:webapplicantdvm&target=https://docs.shib.ncsu.edu/v3t2sp/parent.php
• hrapplicant: https://docs.shib.ncsu.edu/Shibboleth.sso/Login?entityID=https://affilt2.shib.ncsu.edu/idp/shibboleth&authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:hrapplicant&target=https://docs.shib.ncsu.edu/v3t2sp/parent.php

To customize these links for your service, make the same changes described above for the other login links. Be sure to keep the entityID and authnContextClassRef pieces the same as given.

Changes to Note for Parent IdPs

• The Parent/Other IdP services have been split from the Unity IdP services onto their own servers. The IdP handler URLs have changed to use the new hostnames. They handler path is now always /idp/ for both parent and unity IdPs. For example:

  • Old v2 idpt2 parent url: https://idpt2.unity.ncsu.edu/other-idp/...
  • New v3 affilt2 parent url: https://affilt2.shib.ncsu.edu/idp/...

• The default scope for Parent/Other IdP logins has been changed from "ncsu.edu" to "affil.ncsu.edu" to differentiate accounts logging in to the two systems. This will most likely be noticed if you use the scoped eduPersonPrincipalName (EPPN) attribute, which will change. For example:

  • Old v2 EPPN might be: "P1_12345@ncsu.edu"
  • New v3 EPPN would be: "P1_12345@affil.ncsu.edu"

Logout Links

IdP version 3 has a standard logout page that is located at a different handler URL than the ones we have been using with IdP v2. We have also provided handlers at the same URLs that we were using previously, which should allow sites using Unity logins to continue to use the old links. Parent logins will need new links anyway, because of the IdP split explained in the previous section.

Best Practice: Use the v3 Logout Handler

Service providers should change to use the standard v3 logout handler. In the future, we will investigate using the Single Logout (SLO) options provided by this logout handler. If/when we implement it, your sites will automatically start to use it.

The logout handler URLs for the Test2 servers are:

• https://idpt2.shib.ncsu.edu/idp/profile/Logout
• https://affilt2.shib.ncsu.edu/idp/profile/Logout

These are terminal URLs. This means the user will logout of their IdP sessions and they will be shown a standard page. They will not be forwarded to another page.

Your application logout process should take care of terminating its own session, then forward the user to the SP handler to logout, and finally send the user to this IdP handler to logout there as well. The login demos do this using the return URL option on the SP logout handler, like this:

• https://docs.shib.ncsu.edu/Shibboleth.sso/Logout?return=https://idpt2.shib.ncsu.edu/idp/profile/Logout
• https://docs.shib.ncsu.edu/Shibboleth.sso/Logout?return=https://affilt2.shib.ncsu.edu/idp/profile/Logout

Remember to change the SP handler URL to your own server URL.

The MyPack Portal currently uses a hidden iframe to load the logout URL for the user without them seeing the output. That should continue to work using the new handler.

v2 Compatible Logout Handlers

The v2 logout handlers described on the Shibboleth Logout v2 page are still provided and should work as they did before. For the Test2 servers, those URLs are:

• Unity:
  • https://idpt2.shib.ncsu.edu/idp/logoutredir.jsp?return=...
  • https://idpt2.shib.ncsu.edu/idp/logout.jsp
  • https://idpt2.shib.ncsu.edu/idp/idplogout.jsp
• Parents/Others:
  • https://affilt2.shib.ncsu.edu/idp/logoutredir.jsp?return=...
  • https://affilt2.shib.ncsu.edu/idp/logout.jsp
  • https://affilt2.shib.ncsu.edu/idp/idplogout.jsp

The "logoutredir.jsp" page uses the same hidden-iframe trick to load the real logout handler before forwarding the browser along to the requested return URL. The other two handlers quietly forward the browser to the standard v3 logout handler URL.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: February 25, 2016