What's New !!

Pricing Offers

We are happy to announce special offers for miniOrange Atlassian SSO, 2FA, REST API, User Sync and Group Sync Apps.

Contact Info

For any query, product related information or any help , contact us now. You can also raise a ticket with our support.

 

Contact Us Now

Shibboleth2 as IdP – SAML


Step 1: Setup Shibboleth2 as Identity Provider

      • In conf/relying-party.xml, configure Service Provider like this
      • <MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" id="MyInlineMetadata">
          <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<ENTITY_ID_FROM_PLUGIN>">
              <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration=
                  "urn:oasis:names:tc:SAML:2.0:protocol">
                <urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress</md:NameIDFormat>
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:https-POST"
                  Location="<ACS_URL_FROM_PLUGIN>" index="1"/>
              </md:SPSSODescriptor>
            </md:EntityDescriptor>
          </EntitiesDescriptor>
        </MetadataProvider>


      • Make sure your Shibboleth server is sending Email Address of the user in Name ID. In attribute-resolver.xml, get the email attribute as Name ID:
      • <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
           <resolver:Dependency ref="ldapConnector" />
           <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:
            nameid-format:emailAddress"/>
        </resolver:AttributeDefinition>

      • In attribute-filter.xml, release the email attribute:
      • <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRulexsi:type="basic:ANY"/>
          <afp:AttributeRuleattributeID="email">
            <afp:PermitValueRulexsi:type="basic:ANY"/>
          </afp:AttributeRule>
        </afp:AttributeFilterPolicy>

      • Restart the Shibboleth server.
      • You need to configure these endpoints in miniOrange plugin.
      • IDP Entity ID https://<your_domain>/idp/shibboleth
        Single Login URL https://<your_domain>/idp/profile/SAML2/Redirect/SSO
        X.509 Certificate The public key certificate of your Shibboleth server