Shibboleth Configuration
Shibboleth Disclaimer: Shibboleth is a complex Identity Provider to set up from scratch. This documentation assumes that you have a working Shibboleth installation that is currently able to respond correctly to at least one SAML application.
The following settings are a guide and were used with a working test Shibboleth installation. Your Shibboleth installation may be more complex and require more changes.
Add Simplelists Metadata to the metadata-providers.xml
- Download the metadata.xml from the Simplelists Authentication settings
- Upload the simplelists metadata.xml file
- Rename the file to a unique name (simplelists-metadata.xml)
- Insert the following in metadata-providers.xml before the </MetadataProvider> tag
<MetadataProvider id="simplelists" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/simplelists-metadata.xml" failFastInitialization="false" indexesRef="shibboleth.CASMetadataIndices" />
The following diff can be used as well:
--- metadata-providers.xml-net-saml2 2024-03-14 23:35:09.321574574 +0000
+++ metadata-providers.xml 2024-03-14 23:51:41.781661436 +0000
@@ -91,4 +91,10 @@
metadataURL="https://netsaml2-testapp.local/metadata.xml"
failFastInitialization="false"/>
+ <MetadataProvider id="simplelists"
+ xsi:type="FilesystemMetadataProvider"
+ metadataFile="%{idp.home}/metadata/simplelists-metadata.xml"
+ failFastInitialization="false"
+ indexesRef="shibboleth.CASMetadataIndices" />
+
</MetadataProvider>
- Create a file metadata-providers.xml.diff and insert the diff
- Change the the directory containing the metadata-providers.xml
- Do a test of the diff patch
- patch -p0 --dry-run < metadata-providers.xml.diff
- If it is successful apply the patch
- patch -p0 < metadata-providers.xml.diff
Update the relying-party.xml
This section allows you to override some of the defaults to allow assertion encryption, etc:
- Insert the following in relying-party.xml after a closing </bean> tag
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://dev.simplelists.com/app/saml/xml"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:encryptNameIDs="false" /> <ref bean="SAML2.ECP" /> <bean parent="SAML2.Logout" p:signResponses="true" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
The following diff can be used as well:
--- relying-party.xml-net-saml2 2024-03-14 23:38:32.687857045 +0000
+++ relying-party.xml 2024-03-14 23:40:23.977181834 +0000
@@ -64,6 +64,17 @@
</property>
</bean>
+ <bean parent="RelyingPartyByName" c:relyingPartyIds="https://dev.simplelists.com/app/saml/xml">
+ <property name="profileConfigurations">
+ <list>
+ <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:encryptNameIDs="false" />
+ <ref bean="SAML2.ECP" />
+ <bean parent="SAML2.Logout" p:signResponses="true" />
+ <ref bean="SAML2.ArtifactResolution" />
+ <ref bean="Liberty.SSOS" />
+ </list>
+ </property>
+ </bean>
<!--
Override example that identifies a single RP by name and configures it
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
- Create a file relying-party.xml.diff and insert the diff
- Change the the directory containing the relying-party.xml
- Do a test of the diff patch
- patch -p0 --dry-run < relying-party.xml.diff
- If it is successful apply the patch
- patch -p0 < relying-party.xml.diff
Allow the emailAddress to be used as a NameID
- add/uncomment the following in saml-nameid.xml
<bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {’mail’} }" />
Update the Shibboleth metadata to provide the NameIDFormat
The final step is to add the email address format to the Shibboleth metadata file
- add the following in idp-metadata.xml after the last </NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>