Configuring Shibboleth for Simplelists SAML2 Authentication

Shibboleth Configuration

Shibboleth Disclaimer: Siibboleth is a complex Identity Provider to set up from scratch. This documentation assumes that you have a working Shibboleth installation that is currently able to respond correctly to at least one SAML application.

The following settings are a guide and were used with a working test Shibboleth installation. Your Shibboleth installation may be more complex and require more changes.

Add Simplelists Metadata to the metadata-providers.xml

  1. Download the metadata.xml from the Simplelists Authentication settings
  2. Upload the simplelists metadata.xml file
  3. Rename the file to a unique name (simplelists-metadata.xml)
  4. Insert the following in metadata-providers.xml before the </MetadataProvider> tag
        <MetadataProvider id="simplelists"
                          xsi:type="FilesystemMetadataProvider"
                      metadataFile="%{idp.home}/metadata/simplelists-metadata.xml"
               failFastInitialization="false"
                          indexesRef="shibboleth.CASMetadataIndices" />
    

The following diff can be used as well:

--- metadata-providers.xml-net-saml2    2024-03-14 23:35:09.321574574 +0000
+++ metadata-providers.xml    2024-03-14 23:51:41.781661436 +0000
@@ -91,4 +91,10 @@
                   metadataURL="https://netsaml2-testapp.local/metadata.xml"
            failFastInitialization="false"/>

+ <MetadataProvider id="simplelists" + xsi:type="FilesystemMetadataProvider" + metadataFile="%{idp.home}/metadata/simplelists-metadata.xml" + failFastInitialization="false" + indexesRef="shibboleth.CASMetadataIndices" /> + </MetadataProvider>

  1. Create a file metadata-providers.xml.diff and insert the diff
  2. Change the the directory containing the metadata-providers.xml
  3. Do a test of the diff patch
    • patch -p0 --dry-run < metadata-providers.xml.diff
  4. If it is successful apply the patch
    • patch -p0 < metadata-providers.xml.diff

Update the relying-party.xml

This section allows you to override some of the defaults to allow assertion encryption, etc:

  1. Insert the following in relying-party.xml after a closing </bean> tag
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://dev.simplelists.com/app/saml/xml">
                <property name="profileConfigurations">
                    <list>
                        <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:encryptNameIDs="false" />
                    <ref bean="SAML2.ECP" />
                    <bean parent="SAML2.Logout" p:signResponses="true" />
                    <ref bean="SAML2.ArtifactResolution" />
                    <ref bean="Liberty.SSOS" />
                    </list>
                </property>
        </bean>
    

The following diff can be used as well:

--- relying-party.xml-net-saml2    2024-03-14 23:38:32.687857045 +0000
+++ relying-party.xml    2024-03-14 23:40:23.977181834 +0000
@@ -64,6 +64,17 @@
             </property>
     </bean>

+ <bean parent="RelyingPartyByName" c:relyingPartyIds="https://dev.simplelists.com/app/saml/xml"> + <property name="profileConfigurations"> + <list> + <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:encryptNameIDs="false" /> + <ref bean="SAML2.ECP" /> + <bean parent="SAML2.Logout" p:signResponses="true" /> + <ref bean="SAML2.ArtifactResolution" /> + <ref bean="Liberty.SSOS" /> + </list> + </property> + </bean> <!-- Override example that identifies a single RP by name and configures it for SAML 2 SSO without encryption. This is a common "vendor" scenario.

  1. Create a file relying-party.xml.diff and insert the diff
  2. Change the the directory containing the relying-party.xml
  3. Do a test of the diff patch
    • patch -p0 --dry-run < relying-party.xml.diff
  4. If it is successful apply the patch
    • patch -p0 < relying-party.xml.diff

Allow the emailAddres to be used a a NameID

  1. add/uncomment the following in saml-nameid.xml
            <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                p:omitQualifiers="true"
                p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                p:attributeSourceIds="#{ {’mail’} }" />
    

Update the Shibboleth metadata to provide the NameIDFormat

The final step is to add the email address format to the Shibboleth metadata file

  1. add the following in idp-metadata.xml after the last
    
    
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>