How to enroll Flex Appliance as a service provider to the Shibboleth identity provider

Article: 100054215
Last Published: 2022-12-21
Ratings: 0 0
Product(s): Appliances

To enroll Flex Appliance as a service provider to Shibboleth

Before you begin, make sure that the Shibboleth identity provider is installed and is connected to the Active Directory or the LDAP domain.

  1. Download the Shibboleth IDP metadata.xml file with the Shibboleth API: https://<shibbolleth server>/idp/shibboleth. This metadata file is required to configure Shibboleth on your Flex appliance.
  2. Download the Flex Appliance service provider metadata.xml from the Flex Appliance Console or with the following Flex API: https://<flex appliance>/api/v1/single-signon/metadata.
  3. Copy the downloaded sp-metadata.xml to the Shibboleth IDP.
  4. Add the MetadataProvider to the {idp_install_dir}\conf\metadata-providers.xml file on the Shibboleth IDP, as follows:
    <MetadataProvider id="<policy ID name>"  xsi:type="FilesystemMetadataProvider" metadataFile="<sp-metadata.xml file path>"/>
  5. For the NameID configuration, navigate to {idp_install_dir}\conf\saml-nameid.xml  and add the following information to map the nameidentifier to the email address:
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'userPrincipalName'} }" />
  6. Add the AttributeRules for the userPrincipalName and the memberOf  attributes to the {idp_install_dir}\conf\attribute-filter.xml file on the Shibboleth IDP, as follows:

    <AttributeFilterPolicy id="<policy ID name>">
        <PolicyRequirementRule xsi:type="Requester" value="<sp-metadata entity id>" />

        <AttributeRule attributeID="memberOf">
            <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="userPrincipalName">
    <PermitValueRule xsi:type="ANY" />
    Note: When you add the IDP configuration to the Flex Appliance IDP configuration page, the values that you enter for the User and the Group fields must match the SAML attribute names (Value field) that are mapped to the userPrincipalName and the memberOf attributes in the AD or the LDAP directory (Name field).

  7. To enable shibboleth SLO, uncomment the SLO section in {idp_install_dir}\metadata/idp-meta.xml.

  8. Uncomment the following settings in the {idp_install_dir}/conf/ file:
    idp.session.secondaryServiceIndex = true
    idp.session.trackSPSessions = true
    sessions idp.session.StorageService = shibboleth.StorageService

  9. Restart the Shibboleth IDP daemon.



Was this content helpful?