Version 2

Service Provider Single Server Configuration

/etc/shibboleth/shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	clockSkew="180">
 
	<ApplicationDefaults 
		entityID="https://pcr360.pcr.com/shibboleth-sp" 
		REMOTE_USER="uid">
 
		<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
			<SSO 
				entityID="https://shibboleth.pcr.com/idp/shibboleth"
				discoveryProtocol="SAMLDS" 
				discoveryURL="https://shibboleth.pcr.com/DS/WAYF">
				SAML2 SAML1
			</SSO>
 
			<Logout>SAML2 Local</Logout>
			<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
			<Handler type="Status" Location="/Status" acl="127.0.0.1"/> 
			<Handler type="Session" Location="/Session" showAttributeValues="false"/>
			<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
		</Sessions>
	 
		<Errors 
			supportContact="help@pcr.com"
			logoLocation="/shibboleth-sp/logo.jpg"
			styleSheet="/shibboleth-sp/main.css"/>
 
		<MetadataProvider 
			type="XML" 
			uri=" http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
			backingFilePath="InCommon-metadata.xml" 
			reloadInterval="180000" />
	 
		<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
	 	<AttributeResolver type="Query" subjectMatch="true"/>
	 	<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
	 	<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
 
	</ApplicationDefaults>
 
	<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
	<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 
</SPConfig>

Service Provider Multiple Server Configuration

/etc/shibboleth/shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	clockSkew="180">
 
	<ApplicationDefaults 
		entityID="https://<PROD_SERVER>/shibboleth-sp"
		REMOTE_USER="uid">
 
		<Sessions lifetime="28800" timeout="14400" checkAddress="false" relayState="ss:mem" handlerSSL="false">
			<SSO 
				entityID="<CUSTOMER_ENTITY_SERVER>"
				discoveryProtocol="SAMLDS" 
				discoveryURL="http://www.w3.org/2000/09/xmldsig#">
				SAML2 SAML1
			</SSO>
 
			<Logout>SAML2 Local</Logout>
 			<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 			<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
 			<Handler type="Session" Location="/Session" showAttributeValues="false"/>
 			<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
		</Sessions>
 
		<Errors 
			supportContact="help@pcr.com"
			logoLocation="/shibboleth-sp/logo.jpg"
			styleSheet="/shibboleth-sp/main.css"/>
 
		<MetadataProvider 
			type="XML" '
			uri="<CUSTOMER_METADATA_SERVER>"
			backingFilePath="InCommon-metadata.xml" 
			reloadInterval="180000" />
 
		<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
 		<AttributeResolver type="Query" subjectMatch="true"/>
 		<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 		<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
 
		<ApplicationOverride 
			id="pcr360test" 
			entityID="https://<TEST_SERVER>/shibboleth-sp"
			REMOTE_USER="uid">
 
			<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
 				<SSO 
					entityID="<CUSTOMER_ENTITY_SERVER>"
					discoveryProtocol="SAMLDS" 
					discoveryURL="http://www.w3.org/2000/09/xmldsig#">
					SAML2 SAML1
				</SSO>
 
				<Logout>SAML2 Local</Logout>
				<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> 
				<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
				<Handler type="Session" Location="/Session" showAttributeValues="false"/>
				<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
			</Sessions>
 
			<Errors 
				supportContact="help@pcr.com"
				logoLocation="/shibboleth-sp/logo.jpg"
				styleSheet="/shibboleth-sp/main.css"/>
 
			<MetadataProvider 
				type="XML" 
				uri="<CUSTOMER_METADATA_SERVER>"
				backingFilePath="InCommon-metadata.xml" 
				reloadInterval="180000" />

			<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
			<AttributeResolver type="Query" subjectMatch="true"/>
			<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
			<CredentialResolver type="File" key="sp-key-test.pem" certificate="sp-cert-test.pem"/>
		</ApplicationOverride>
	</ApplicationDefaults>
 
	<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
	<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 
</SPConfig>

Troubleshooting

If for some reason, you are getting an error with authentication, you may want to turn off validation.

opensaml::FatalProfileException at (https://pcr360.ucla.edu/Shibboleth.sso/SAML2/POST)

A valid authentication statement was not found in the incoming message.

Authenticating with Microsoft, for example, doesn’t use valid SAML2, and this can cause problems. Open /etc/shibboleth/shibboleth2.xml and modify the “validate” parameter. See the code snippet below: