Body
Converting Bluestem clients to Shibboleth service providers:
1. Install Shibboleth Service Provider.
2. Configure Shibboleth Service Provider.
3. Register Shibboleth Service Provider with I-Trust Federation (https://itrust.illinois.edu/). Note that it can take up to 4 hours for UIC to receive any changes in registrations.
4. Reconfigure your Web Application to use Shibboleth instead of Bluestem.
UIUC has extensive documentation that is applicable to all UIC applications. See: https://answers.illinois.edu/search.php?q=shibboleth
The shibboleth2.xml file you download from UIUC's site needs a few changes to make it work with UIC's Identity Provider:
Replace:
<SSO entityID="urn:mace:incommon:uiuc.edu"> SAML2 </SSO>
with
<SSO entityID="https://shibboleth.uic.edu/shibboleth"> SAML2 </SSO>
Uncomment this line:
<Include>https://shibboleth.uic.edu/shibboleth</Include>
You should download and install UIC's attribute-map.xml instead of UIUC's - Download here.
If you have been using Bluestem's allowed.netids file to restrict access to certain NetIDs, then things become a bit more tricky. You will need to create and maintain an AD group and request from ithelp@uic.edu that an Entitlement be created for your application. The Entitlement is associated with the AD group that you create. We will then configure UIC's identity provider to only release attributes to your application for netids that are members of the Entitlement/AD group.
Since UIUC enforces MFA for all applications they don't have documentation for requesting MFA from a service provider. To do so:
Edit /etc/shibboleth/shibboleth2.xml and change the appropriate line to look like this:
<SSO entityID="https://shibboleth.uic.edu/shibboleth"
authnContextClassRef="https://refeds.org/profile/mfa">SAML2</SSO>
Restart the shibd service.
You can find more information on Shibboleth Service Provider installation here:
https://help.uillinois.edu/TDClient/37/uic/KB/ArticleDet?ID=881