1. View the IdP metadata referenced at the URL and/or File option in config.txt:
ShibbolethMetadata \ -EntityID=https://ezproxy.example.com/shibboleth \ -URL=https://idp.example.com/Shibboleth.sso/Metadata \ -File=example-metadata.xml \ -SignResponse=false -SignAssertion=false -EncryptAssertion=false \ -Cert=2
2. The metadata needs to contain an elment named IDPSSODescriptor
Some examples how this element can start:
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
<ns27:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
If the metadata does not contain this information, work with the team responsible for the identity provider to get metadata that contains an IDPSSODescriptor.
3. The metadata needs to contain an entityID attribute that matches the IDP line in user.txt
Example metadata:
<md:EntityDescriptor xmlns:md="..." ID="..." entityID="https://idp.example.com/shibboleth">
Example user.txt:
::Shibboleth Group NULL IDP20 https://idp.example.com/shibboleth /Shibboleth
The content of the metadata in entityID="..." and of user.txt after IDP20... need to match.
An element in the metadata like SPSSODescriptor (for Service Provider Metadata) will not work.