After installation, the Service Provider (SP) will need to be configured to use the MSU Identity Provider. The simplest way is to use the sample shibboleth2.xml. It contains several spots, marked with 'changeme', that you will need to change to appropriate values for your service.
Alternatively, changes can be made to the distributed shibboleth2.xml. The changes required for MSU are listed below.
Service Hostname
The service hostname is the hostname where the user directs their web browser. If the SP is behind a load balancer, the service hostname is the hostname bound to the load balancer, for example angel.msu.edu. Otherwise, the service hostname is the hostname of the machine, for example sp-dev.idm.msu.edu
Listener
Enable the Listener that is appropriate for your OS. Be sure to only enable one Listener.
If the server is UNIX based, enable the UnixListener and disable the TCPListener.
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
If a Windows based server, enable TCPListener and disable UnixListener.
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
<!-- <UnixListener address="shibd.sock"/> -->
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
entityID
The entityID is based on the service hostname, for example https://sp-dev.idm.msu.edu/shibboleth or https://sp-dev.idm.msu.edu/sp See EntityNaming and Entity IDs for more information or email identity@msu.edu with your questions.
Legacy SP have URN based entityID, for example urn:mace:msu.edu:shibboleth:sp:ats:forums, which can still be used. New installations are encouraged to use the URL form.
handlerSSL and cookieProps
If using SSL, then set handlerSSL="true" and include the cookieProps line, below. If not using SSL, then set handlerSSL="false" and remove the cookieProps line.
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="true"
cookieProps="; path=/; secure; HttpOnly"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
SessionInitiator
Change the entityID of the "/Login" SessionInitiator to the MSU Identity Provider.
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idp.idm.msu.edu/idp/shibboleth">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
supportContact
Be sure to set supportContact to your end-user support email address.
MetadataProvider
In the "Chaining" MetadataProvider, add the MSU metadata source
<MetadataProvider type="XML"
uri="http://shib.idm.msu.edu/metadata/MSU-metadata-idp.xml"
backingFilePath="MSU-metadata-idp.xml" reloadInterval="7200">
</MetadataProvider>