...
The IdP configuration (idp.xml) is ZEST:here. The partner metadata file is ZEST:here.
I enabled the eduPersonScopedAffiliation and eduPersonPrincipalName attributes in resolver.xml, and added eduPersonPrincipalName to arp.site.xml. This enables setting REMOTE_USER to the authenticated user name in the SP application. To test getting attributes from the MIT LDAP server, I configured resolver.ldap.xml to do an anonymous bind to the server, and, initially, mapped the eduPersonPrincipalName attribute to the "mail" LDAP attribute, as eduPersonPrincipalName was not part of the schema on ldap.mit.edu at the time; to use this configuration, I changed the resolverConfig setting in idp.xml accordingly. Note that I was unable to bind successfully using GSSAPI in brief testing; the error "No valid credentials provided" was logged in shib-error.log, even when I tried initializing a proper ticket cache before starting tomcat. (The GSSAPI bind had worked in testing WebAuth's mod_webauthldap module).
...
but changed things to use the server certificates signed by my test CA, instead of using self-signed certs.
The The partner metadata file is ZEST:here. Besides the host/domain names, the significant difference between this and the file resulting from following the wiki instructions is that the test CA certificate is embedded, instead of the IdP cert itself.
The shibboleth.xml file is ZEST:here.
I modified the distributed AAP.xml to add a Header value for eduPersonNickname, and uncommented the sections defining the eduPerson and common LDAP attributes.
...