Hello there!
Need Help? We are right here!
Need Help? We are right here!
STEP 1: In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true. Example:
idp.encryption.optional = true
STEP 2: In conf/metadata-providers.xml, configure Wordpress as an SP like this:
<MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata" id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1"> <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Step1 of the plugin under Identity Provider Tab.>" validUntil="2020-09-06T04:13:32Z"> <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <samlmd:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </samlmd:NameIDFormat> <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>" index="1" /> </samlmd:SPSSODescriptor> </samlmd:EntityDescriptor> </MetadataProvider>
STEP 3: In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
STEP 4: In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.
Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans. For eg. your SAML 2 NameID Generation tag should look like this:
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<!-- <ref bean="shibboleth.SAML2TransientGenerator" /> -->
<!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'email'} }" />
</util:list>
STEP 5: Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
For eg. you have LDAP configured for authentication then your AttributeDefinition should look like this:
<!--
Note: AttributeDefinition id must be same as what you provided in
attributeSourceIds in conf/saml-nameid.xml
-->
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="ldapConnector" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="email" friendlyName="email" />
</resolver:AttributeDefinition>
<resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory"
ldapURL="%{idp.authn.LDAP.ldapURL}"
baseDN="%{idp.authn.LDAP.baseDN}"
principal="%{idp.authn.LDAP.bindDN}"
principalCredential="%{idp.authn.LDAP.bindDNCredential}">
<dc:FilterTemplate>
<!-- Define you User Search Filter here -->
<![CDATA[
(&(objectclass=*)(cn=$requestContext.principalName))
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>*</dc:ReturnAttributes>
</resolver:DataConnector>
STEP 6: Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml
For eg. attributeID must be same as AttributeDefinition ID defined in previous step.
<afp:AttributeFilterPolicy id="ldapAttributes"> <afp:PolicyRequirementRule xsi:type="basic:ANY" /> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
STEP 7: Restart the Shibboleth Server and go to Service Provider tab in miniOrange SAML plugin. Then enter the following details:
| Identity provider Name: | Shibboleth |
| SAML Login URL | https://<your domain>/idp/profile/SAML2/Redirect/SSO | IdP Entity ID or Issuer | https://<your domain>/idp/shibboleth |
| X.509 Certificate | The public key certificate of your IdP |
| Response Signed | Checked |
| Assertion Signed | Checked |
We offer Security Solutions of Single Sign-On, Two Factor Authentication, Fraud Prevention and much more.
Please call us at +1978 658 9387 (US), +91 77966 99612 (India) or email us at info@xecurify.com