If SAML is already being used, the same EZproxy metadata can be used for the new IdP.
For the IdP's metadata, if the IdP has a retrieval URL that works best. This is makes it easier if the metadata is ever updated since it will automatically be updated in EZproxy. Otherwise, the metadata can only be provided in the file.
ShibbolethMetadata \ -EntityID=EZproxyEntityID (matches what is set in the EZproxy metadata) \ -File=MetadataFile (with metadata from the IdP) \ -URL=URL to retrieve the IdP's metadata \ -SignResponse=false -SignAssertion=true -EncryptAssertion=false \ -Cert=EZproxyCertNumber (from the Manage SSL page in the admin screen for the certificate the EZproxy metadata is from)
The SignResponse/SignAssertion/EncryptAssertion line might need to be adjusted based on the IdP setup. The messages.txt should show how this needs to be adjusted.
::auth=test, Shibboleth Group NULL IDP20 IDP to your SAML (must match what is in the SAML metadata) /Shibboleth
To test, use a URL like https://your.ezproxy.url/login?auth=test
::Shibboleth Group NULL IDP20 IDP to your SAML (must match exactly what is in the EntityID from the IdP's metadata) /Shibboleth
shibuser.txt - at a minimum, a user ID needs to be set. Other mappings can be added if needed. This example uses NameID; this can be changed to how the user ID is being returned by the IdP:
Set login:loguser = auth:NameID
To see how attributes are being returned from the IdP, go to Manage Shibboleth in the EZproxy admin page and use the tool to show attributes from this Identity Provider.
For hosted EZproxy systems, support will configure this for you. Contact OCLC Support
For stand-alone EZproxy systems that need additional help, contact OCLC Support