AnsweredAssumed Answered

How to configure Single Sign On with Shibboleth

Question asked by Oz Merchant Administrator on Jul 5, 2016

Recently one of our customers provided information on how they were able to configure Samanage with Shibboleth for Single Sign On

 


1) Install Samanage metadata in Shibboleth metadata folder
You can find your metadata via https://ACCOUNTNAME.samanage.com/saml/metadata

 

2) In Shibboleth attribute-resolver.xml, configure an attribute to release to Samanage with the proper format. We added this:

 

 

<resolver:AttributeDefinition
  id="samanageuid"
  xsi:type="Simple"
  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
  sourceAttributeID="mail">

  <resolver:Dependency ref="MyDB" />

  <resolver:AttributeEncoder
    xsi:type="SAML2StringNameID"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
    nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />

</resolver:AttributeDefinition>

 

 

In this example. their attributes come from a database connection rather than LDAP.  If there is already an attribute with same encoding for the mail attribute, you could use that. In this example, their mail attribute has a different encoder.

 


3) Finally, release the attribute above to Samanage via attribute-filter.xml:

 

 

    <AttributeFilterPolicy>
        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="SAManage.com" />
        <AttributeRule attributeID="samanageuid">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>


        <AttributeRule attributeID="mail">
            <DenyValueRule xsi:type="basic:ANY" />
        </AttributeRule>


    </AttributeFilterPolicy>


Here we are blocking the regular mail attribute and releasing the samanageuid attribute. It may not be necessary to block the mail attribute, but doing so should prevent any confusion.

Outcomes