Introduction
Enable Single SignOn from Shibboleth to your Canary Console with these steps.
Shibboleth is highly configurable and the configs provided on this page are but one approach to setting up your Console as a Relying Party. In all the examples below, "XXXXXXXX.canary.tools" should be replaced with your Console's hostname which has a similar format.
Step 1: Create a support request to enable SAML
You can either use our live support (see the chat icon on that page's bottom right) or file a support request. Please include your Organisation's name in the request.
We'll enable SAML support on your console which will generate the parameters you need.
Step 2: Login to you Canary Console and copy the SAML parameters
Login to your Console, click "Setup" on the top navbar, then "SAML" on the left menu:
Step 3: Configure your Identity Provider with a new Service Provider
Typically this involves creating a new app or connection. In setting up this new configuration, look out for these configuration items:
- ACS URL (sometimes called the Login URL or SSO URL). In that field, paste the "ACS" data from Step 2.
- SP Entity ID. This is a unique string that identifies your Canary Console to your Identity Provider. Note that your Console's Entity ID includes a trailing forward slash.
- NameID Format. This tells the Identity Provider how to send a user's identity to the Console. We require an email address.
- Signing. SAML support the cryptographic signing of the login messages sent from the Identity Provider to the Service Provider. Canary Consoles require that Assertions are signed, and this is usually configurable at the Identity Provider. Responses can be signed, assertions are required to be signed.
Step 4: Download the SAML Metadata
Look around the IdP's interface for a link or button to download the IdP's metadata file.
Step 5: Send us the SAML Metadata
Send the SAML metadata file from Step 4 to us in your support ticket. We will configure your Console with the IdP metadata and confirm when SAML support is fully set up.
Step 6: Test login from both the Console and your IdP
You'll know it's working when you see your Console Login page show a "Login with SSO" button:
Click the button to initiate the SSO login.
You'll also be able to login to your Console by clicking on your Canary Console's link or button the IdP's dashboard: