Hi, all,
I'm far enough along in my configuration of Identity Provider with SAML that I can now answer the questions I posted above.
Q1: I read that Identity Provider requires SSL to be enabled but we are using SSL offloading. Will this work without use of an SSL certificate installed on the server?
- Yes, this works, as long as you keep that in mind when adding URLs to the Web.configs. For instance, if you use SSL offloading, you may need to use "http" instead of "https" in some cases. It just depends on your environment.
Q2: We are working on Shibboleth setup on the web server. In the MRG there it outlines how you can configure the location of the signing and encryption certificates in the registry of the servers where IdentP is installed. Is this required? Do we need to install the Shibboleth certificates on the app servers for this to work?
- It turns out that Identity Provider takes the place of Service Provider installation that we originally attempted. No SSL certificate needs to be installed in IIS (since we are using SSL offloading), but the IdentityProvider Web.config should reference a certificate with KeyUsage requirements of Digital Signature and Key Encipherment. This certificate is used to decrypt assertions received from the 3rd party Identity Provider.
Other gotchas:
- I was having trouble generating Metadata, and I found I wasn't using the correct url. It should be in the format of https://[server location or vip]/tenant/population/provider/metadata. The part I was missing was provider. Please see the Authentication MRG for details on how this url is formatted. The tenant, population, and provider are named in the IdentityProvider Web.config file.
Let me know if you have any questions!
Thanks,
kellyg
Edit: Fixed a couple of typing errors.
