• Home
• Login with External IDP
• Shibboleth Single Sign-On

Configure Shibboleth as SAML IDP for SSO

---

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure Shibboleth as an IDP for Single Sign-On (SSO) into your applications/websites. Here, Shibboleth will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with Shibboleth, making it easier and quick to implement. Our team can also help you set up Shibboleth as SAML IDP to login into your applications.

Follow the Step-by-Step Guide given below for Shibboleth Single Sign-On (SSO)

1. Configuring miniOrange as Service Provider (SP) in Shibboleth

• In conf/idpproperties, uncomment and set 'idp.encryption.optionaI' to true.

    eg. idp.encryption.optional = true

• In conf/metadata-providers.xml, configure Service Provider like this

    <MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata" 

       id="miniOrangeInLineEntitInlineMetadataProvider" sortKey="1"> 

         <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID/Issuer from SP info tab in plugin.>" 

         validUntil="2020-09-06T04:13:32Z"> 

         <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" 

         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 

           <samlmd:NameIDFormat> 

             urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 

           </samlmd:NameIDFormat> 

         <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 

         Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under IDP Tab.>" 

          &nby" xsi:type="sp;index="1" /> 

         </samlmd:SPSSODescriptor> 

         </samlmd:EntityDescriptor> 

     </MetadataProvider>
    

• In conf/saml-nameid.properties, uncomment and set default NameID as Email Address like this

    idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
    

• In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators. Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans

    <!-- SAML 2 NameID Generation --> 

    <util:list id="shibboleth.SAML2NameIDGenerators">  

      <!--<ref bean="shibboleth.SAML2TransientGenerator" /> --> 
 
      <!-->ref bean="shibboleth.SAML2PersistentGenerator" /> -->  

      <bean parent="shibboleth.SAML2AttributeSourcedGenerator"    

      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"  

      p:attributeSourceIds="#{ {'email'} }" /> 

    </util:list> 
    

• Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.

    <!-- Note: AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml --> 

    <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail"> 

      <resolver:Dependency ref="ldapConnector" /> 

      <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email"  friendlyName="email" /> 

    </resolver:AttributeDefinition > 



    <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}" 

      baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}" 

      principalCredential="%{idp.authn.LDAP.bindDNCredential}">  


      <dc:FilterTemplate> 

        <!-- Define you User Search Filter here -->  
 
        <![CDATA[   (&(objectclass=*)(cn=$requestContext.principalName))   ]]> 

      </dc:FilterTemplate> 
 


      <dc:ReturnAttributes>*</dc:ReturnAttributes> 

    </resolver:DataConnector>
    

• Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.

    <afp:AttributeFilterPolicy id="ldapAttributes"> 

    <afp:PolicyRequirementRulexsi:type="basic:ANY"/> 

      <afp:AttributeRuleattributeID="email"> 

        <afp:PermitValueRulexsi:type="basic:ANY"/> 

      </afp:AttributeRule> 

    </afp:AttributeFilterPolicy> 

    

• Restart the Shibboleth Server.

2. Configure Shibboleth as Identity Provider (IDP) in miniOrange

• Go to miniOrange Admin console and navigate to Identity Providers in the left navigation menu. Then, click on Add Identity Provider button.



• In Choose Identity Provider, select SAML from the dropdown.



• Search for SAML Provider.



• Click on Import IDP metadata.



• Enter Shibboleth as IDP name and click on Save.
• You can also provide the details manually. You need to configure following endpoints:

IDP Entity ID	https://<your_domain>/idp/shibboleth
Single Login URL	https://<your_domain>/idp/profile/SAML2/Redirect/SSO
Single Logout URL	https://<your_domain>/idp/shibboleth
X.509 Certificate	The public key certificate of your Shibboleth server.

• Click Save

3. Test Connection

• Visit your Login Page URL.
• Go to Identity Providers tab.
• Search for your app, click the three dots in the Actions menu, and select Test Connection against the Identity Provider (IDP) you configured.



• On entering valid Shibboleth credentials (credentials of user assigned to app created in Shibboleth), you will see a pop-up window which is shown in the below screen.



• Hence your configuration of Shibboleth as IDP in miniOrange is successfully completed.

Configure Attribute Mapping

• Go to Identity Providers go to the Three dot (⋮) icon >> Attribute Mapping Shibboleth as IdP.

• Attribute Type - USER
• Attribute Type - EXTERNAL

Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

• Click on the + Add Attribute button to add the attribute fields.



• Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
• Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

• Click on the + Add Attribute button to add the attribute fields.



• Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
• Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

External References

• Configure Google Workspace as an Identity Provider for SSO
• Login using Keycloak as SAML Identity Provider
• SSO for apps using OKTA as SAML Identity Provider
• Configure ADFS as an Identity Provider for SSO
• Know more about Oracle EBS Shibboleth SSO Integration