Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

The general overview of the SAManage.com side is here: https://blog.samanage.com/company/saml-single-sign-on-support-samanage/

To configure Shibboleth to work with SAManage.com:

  • Configure your IdP to not encrypt assertions or nameIDs
  • Configure your IdP to release the user's email address as the NameID with a name format of
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
     

 

relying-party.xml

It is important to note here that you don't want encrypted assertions nor encrypted nameIDs

<RelyingParty id="SAManage.com" provider="urn:mace:incommon:uchicago.edu" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
        defaultSigningCredentialRef="IdPCredential">
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

attribute-resolver.xml

<resolver:AttributeDefinition id="mailNameId" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:Dependency ref="email" />
    
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    </resolver:AttributeDefinition>
  • No labels