From 5edf6a33d7d721c65f4a79dd0d3f47eb9e4133e3 Mon Sep 17 00:00:00 2001
From: Philip Durbin <philip_durbin@harvard.edu>
Date: Tue, 19 Apr 2016 14:48:55 -0400
Subject: [PATCH] Shib: clean up section on identity federations #2937

---
 doc/sphinx-guides/source/installation/shibboleth.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/sphinx-guides/source/installation/shibboleth.rst b/doc/sphinx-guides/source/installation/shibboleth.rst
index c1c55914402..b8c2c09ef03 100644
--- a/doc/sphinx-guides/source/installation/shibboleth.rst
+++ b/doc/sphinx-guides/source/installation/shibboleth.rst
@@ -178,7 +178,11 @@ Most Dataverse installations will probably only want to authenticate users via S
 Identity Federation
 +++++++++++++++++++
 
-Rather than specifying individual Identity Provider(s) you may wish to broaden the number of users who can log into your Dataverse installation by registering your Dataverse installation as a Service Provider (SP) within a federation. For example, users from `hundreds of institutions registered with InCommon <https://incommon.org/federation/info/all-entities.html#IdPs>`_ will be able to log into your Dataverse installation if you register your Dataverse installation as one of the `thousands of Service Providers <https://incommon.org/federation/info/all-entities.html#SPs>`_ that are part of that federation. See http://www.protectnetwork.org/support/faq/identity-federations for a list of identity federations across the world. Rather than hard-coding all the Identity Providers (IdPs) in your ``dataverse-idp-metadata.xml`` file, you would periodically poll your identity federation for updates per https://spaces.internet2.edu/display/InCFederation/Metadata+Consumption and https://spaces.internet2.edu/display/InCFederation/Shibboleth+Metadata+Config#ShibbolethMetadataConfig-ConfiguretheShibbolethSP .
+Rather than specifying individual Identity Provider(s) you may wish to broaden the number of users who can log into your Dataverse installation by registering your Dataverse installation as a Service Provider (SP) within an identity federation. For example, in the United States, users from `hundreds of institutions registered with the "InCommon" identity federation <https://incommon.org/federation/info/all-entities.html#IdPs>`_ will be able to log into your Dataverse installation if you register it as one of the `thousands of Service Providers registered with InCommon <https://incommon.org/federation/info/all-entities.html#SPs>`_.
+
+The details of how to register with an identity federation are out of scope for this document, but a good starting point may be this list of identity federations across the world: http://www.protectnetwork.org/support/faq/identity-federations
+
+One of the benefits of using ``shibd`` is that it can be configured to periodically poll your identify federation for updates as new Identity Providers (IdPs) join the federation you've registered with. For the InCommon federation, the following page describes how to download and verify signed InCommon metadata every hour: https://spaces.internet2.edu/display/InCFederation/Shibboleth+Metadata+Config#ShibbolethMetadataConfig-ConfiguretheShibbolethSP
 
 .. _shibboleth-attributes: