Skip to main content

Search

Configuring SAML: Shibboleth

  • Updated

Introduction

Enable Single SignOn from Shibboleth to your Canary Console with these steps.

Shibboleth is highly configurable and the configs provided on this page are but one approach to setting up your Console as a Relying Party. In all the examples below, "XXXXXXXX.canary.tools" should be replaced with your Console's hostname which has a similar format.

Step 1: Create a support request to enable SAML

Drop us a note at support@canary.tools to enable SAML and we’ll get your Console ready.

We'll enable SAML support on your Console which will generate the parameters you need.

Step 2: Log in to your Canary Console and copy the SAML parameters

Login to your Console, click "Setup" on the top navbar, then "SAML" on the left menu:

Step 3: Configure Shibboleth with a new Relying Party

In attribute-filter.xml, add an AttributeFilterPolicy such as:

<AttributeFilterPolicy id="canary">
  <PolicyRequirementRule xsi:type="Requester" value="https://XXXXXXXX.canary.tools/" />
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

Create a metadata file for your new Relying Party (e.g. at /opt/shibboleth-idp/metadata/canary-metadata.xml):

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://XXXXXXXX.canary.tools/">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://XXXXXXXX.canary.tools/saml/acs" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXXXXXXX.canary.tools/saml/acs" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

In metadata-providers.xml, add a MetadataProvider such as (ensuring the path is valid on your local installation):

<MetadataProvider id="CanaryMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/canary-metadata.xml"/>

In relying-party.xml, add a RelyingPartyByName bean:

<bean parent="RelyingPartyByName" c:relyingPartyIds="https://XXXXXXXX.canary.tools/">
  <property name="profileConfigurations">
    <list>
      <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptNameIDs="false" />
    </list>
  </property>
</bean>

Step 4: Restart Shibboleth

The new configuration will take effect once Shibboleth has been restarted.

Step 5: Send us the IdP's SAML Metadata

Copy the IdP's SAML metadata from the Shibboleth server and send it to us in your support ticket. We will configure your Console with the IdP metadata and confirm when SAML support is fully set up.

Step 6: Test login from both the Console and your IdP

You'll know it's working when you see your Console Login page show a "Login with SSO" button:

Screenshot_2021-06-21_at_14.30.25.png

Click the button to initiate the SSO login.

Was this article helpful?
0 out of 0 found this helpful
Return to top