CAF – Reference Shibboleth SP Configuration Settings

Configuring the Shibboleth Service Provider to load metadata

The Shibboleth Service provider can be downloaded from the Shibboleth site for Unix or Windows platforms. The instructions that follow are for basic configuration and encourage review of the recommended readings for more detail.

Recommended reading for Service Providers:

Adding FIM Production Aggregates to the Shibboleth Service Provider

To add the FIM Production aggregates as trusted by your IdP after installation, edit /etc/shibboleth/shibboleth2.xml file to add the following two MetadataProvider blocks – one for the Production Domestic Aggregate and one for the Production Inter-Federation Aggregate:

<MetadataProvider type="XML" uri="" backingFilePath="CAF-metadata.xml" reloadInterval="3600">            
             <MetadataFilter type="Signature" certificate="md_signer.crt"/>

<MetadataProvider type="XML" uri="" backingFilePath="caf_interfed_metadata.xml" reloadInterval="3600">

            <MetadataFilter type="Signature"  certificate="md_signer.crt"/>


Adding FIM Test Aggregate to the Shibboleth IdP

To add the FIM Test aggregate as trusted by your Service Providere, edit the /etc/shibboleth/shibboleth2.xml file to add the following MetadataProvider block:

<MetadataProvider type="XML" uri=""

Note that there is no signature verification on the Test Federation.

Configuring Shibboleth Service Provider to use FIM Central Discovery Service

Shibboleth Service Providers can be configured with a variety of different ways to assist the user to sign into the the service. This feature is called the Discovery Service step and is configured in the Session section of the Shibboleth configuration in /etc/shibboleth/Shibboleth2.xml.

Authoritative reference material for this can be found here in the ‘SSO’ section:

The default recommendation for FIM is to use the FIM Central Discovery Service hosted by CANARIE, which is available to all sites.

The relevant section in /etc/shibboleth/shibboleth2.xml looks like this:

          <!--           Configures SSO for a default IdP. To allow for >1 IdP, remove

           entityID property and adjust discoveryURL to point to discovery service.

           (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)

           You can also override entityID on /Login query string, or in RequestMap/htaccess.


           <SSO entityID=""

                discoveryProtocol="SAMLDS" discoveryURL="">
             SAML2 SAML1


If you want to have users signing onto your service to be immediately directed to a specific Identity Provider, update the entityID field to the IdP of your choice.

If you want to have either a local embedded discovery service or central discovery service, update the discoveryURL accordingly.  Leave discoveryProtocol as “SAMLDS”.

Recommended reading for more details on embedded discovery service can be found here: