Page History

...

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests. When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

/etc/shibboleth/shibboleth2.xml

Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist

Near the top of the file in the ApplicationDefaults element, we set

• entityID: the ID of our Service Provider (SP)
• REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value)
• The sessionHook is the URL of code running on Tomcat. More on this later.

<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
sessionHook="/shrine-api/sso/rest/authentication/consume"
signing="true"
>

Within the ApplicationDefaults element, 

<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
< SAML2

...