# Shibboleth This integration guide has been tested on Shibboleth version 4 and version 5. ### Note > Throughout this guide, `%{idp.home}` is the directory where you installed your Shibboleth Identity Provider. When configuring Shibboleth, make sure to replace `%{idp.home}` with your specific path (e.g. `/opt/shibboleth`) ### Preliminary steps #### 1. Ensure Compatibility with SAML2 Endpoints To ensure that your Shibboleth IdP is compatible with SAML2 endpoints, you need to locate and inspect the IdP metadata file. This file is typically stored at the location `%{idp.home}/metadata/idp-metadata.xml`. Check the `` entries in the metadata file to verify whether the existing endpoints are compatible with **SAML2**. Typically, the base URL is already configured in your IdP settings and corresponds to something like `https://idp.example.org/idp/profile`, where `idp.example.org` is the IdP’s domain in this example. Here are the required SAML2 bindings: ```xml ``` {% hint style="info" %} **Note:** The URLs above are provided as examples. **Replace** `https://idp.example.org/idp` with the actual domain and base path used by your IdP. {% endhint %} These bindings should already be present in your metadata file. If you do not see them, you will need to **add** these entries manually to ensure your IdP supports the required SAML2 endpoints. Do not replace any existing entries; simply append these lines to your metadata file as necessary. #### 2. Download IdP metadata file Download and store the metadata XML file from your Shibboleth IDP, usually at the following location `%{idp.home}/metadata/idp-metadata.xml` .
Example of idp-metadata.xml with SAML2 endpoint compatibility ```xml ... ... ```
### Cusna setup 1. Go to **Setup** and find the **IdP Integration** card. 2. Select **SAML** as **System** and **Shibboleth** as **Type**.
2. After selecting Shibboleth as SSO system, fill in a name to identify the integration. \ Then upload the IdP metadata XML file (downloaded in the preliminary step).
3. Once the name is filled and the file is uploaded, click the **Save** button. This action will save the integration data in the Cusna system.
4. Download the **Cusna metadata XML file** from the download section that will appear. Rename the metadata file to `cusna-metadata.xml` .
Example of cusna-metadata.xml ```xml ... ... ```
5. Take note of the parameter `entityID` inside the `cusna-metadata.xml` file. This value will be usued in the IdP configuration to identify the Cusna SP .
Example of entityID ``` https://cusnaio.cloud4wi.com/saml2/lynx/v1/289e7f7522caec89e43537c78b997bbb145f783b8bcb367fe74e681f71847b86 ```
### Shibboleth server setup #### Link Shibboleth IdP and Cusna SP There are multiple ways to configure the IdP to correctly communicate with the Cusna SP. The following one is one general option: #### 1. Provide SP metadata with static file system metada provider * **Upload the Metadata File**\ First, upload the `cusna-metadata.xml` file (which you downloaded in the previous step) to a folder on the Shibboleth server. For example, place it in the following directory:\ `%{idp.home}/metadata/` * **Edit the Metadata Provider Configuration**\ Next, open the Shibboleth metadata provider configuration file `metadata-providers.xml`. This file can be found at the following location:\ `%{idp.home}/conf/metadata-providers.xml` * **Add the Metadata Provider Entry**\ In `metadata-providers.xml`, add the following entry to include the Cusna metadata file as a static file system metadata provider: ```xml ```
Example of edited metadata-providers.xml {% code fullWidth="true" %} ```xml https://mdq.incommon.org/ ``` {% endcode %}
#### 2. Ensure Shibboleth IdP Trusts the SP To establish a trust relationship between Shibboleth and Cusna, you need to define a new **RelyingParty** element in the Shibboleth configuration file located at:\ `%{idp.home}/conf/relying-party.xml` * **Edit the Relying Party Configuration**\ Open the `relying-party.xml` file and add the following XML snippet to define the Cusna service provider (SP): ```xml ``` {% hint style="info" %} Make sure the `c:relyingPartyIds` (line 1) matches the **entityID** value specified in Cusna metadata XML file **cusna-metadata.xml**. In our example this would be `c:relyingPartyIds="https://cusnaio.cloud4wi.com/saml2/lynx/v1/289e7f7522caec89e43537c78b997bbb145f783b8bcb367fe74e681f71847b86"` {% endhint %}
Example of edited relying-party.xml ```xml ```
#### 3. SAML attribute mapping To ensure proper communication between your Shibboleth Identity Provider (IdP) and the Cusna Service Provider (SP), you must map the attributes in a way that Cusna can understand. The attribute names must comply with the SAML2 standard and be correctly mapped to the expected values. Please note that the attribute naming matches with the SAML2 standard.
Internal AttributeSAML Attribute NameRequired
mailurn:oid:0.9.2342.19200300.100.1.3yes
givenNameurn:oid:2.5.4.42no
snurn:oid:2.5.4.4no
eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1no
The following steps guide you through configuring your Shibboleth IdP to send the required attributes in a format that Cusna can process. This procedure will ensure that the configuration for Cusna does not interfere with other Service Providers (SPs) that may also be configured on your IdP. * Define new Cusna specific **Attribute Mappings** in **`attribute-resolver.xml`**\ \ To start, you need to define the necessary attribute mappings in the `attribute-resolver.xml` file, which is located in:\ \ `%{idp.home}/conf/attribute-resolver.xml` * Add the following definitions to this file to map the required attributes:
```xml ```
Example of edited attribute-resolver.xml ```xml ```
* Define **Attribute Release Policy** in `attribute-filter.xml`
Next, configure the `attribute-filter.xml` file to ensure that only the attributes necessary for Cusna are released. This file is located in:\ \ `%{idp.home}/conf/attribute-filter.xml` \ Add the following filter policy to the file:
```xml ``` \ **PolicyRequirementRule**: Ensures that these attributes are only released to the Cusna SP by checking the `entityID` of the requesting SP. The `value="%{entityID}"` should match the `entityID` in the Cusna metadata XML file.\ \ **AttributeRules**: Each attribute (`cusnaEmail`, `cusnaGivenName`, `cusnaSn`, `cusnaGroups`) is released to the requesting SP with a `PermitValueRule` that allows all values for each attribute. {% hint style="info" %} Make sure the `Requester` matches the **entityID** value specified in Cusna metadata XML file **cusna-metadata.xml**. In our example this would be \](https://cusnaio.cloud4wi.com/saml2/lynx/v1/289e7f7522caec89e43537c78b997bbb145f783b8bcb367fe74e681f71847b86"/>) {% endhint %}
Example of edited attribute-filter.xml ```xml ```
This configuration ensures that **only Cusna SP** receives the required attributes with the specified names, without affecting other SPs configured on your IdP. At this point the integration is correctly configured and users can login using their own credentials.