SSO AuthenticationSAML 2.0
Shibboleth
Configure a Shibboleth Identity Provider as a SAML 2.0 identity provider for Safeguard.
Shibboleth
- Add a relying party entry for Safeguard's SP metadata on your Shibboleth Identity Provider (
metadata-providers.xml, or publish Safeguard's Metadata URL where your IdP can fetch it). - Configure an attribute-filter policy releasing the
mailattribute to Safeguard's entity ID as the NameID. - Ensure the released attribute's SAML attribute name (or an attribute-resolver alias for it) is exactly
email— separate from the NameID transform above; Safeguard reads this named attribute. - Note your IdP's SSO endpoint (typically
/idp/profile/SAML2/POST/SSO) and Entity ID (typically/idp/shibboleth), and export the IdP signing certificate. - In Safeguard, click Add Provider → SAML 2.0 → Shibboleth, and enter the SSO endpoint, Entity ID, and certificate.
- Reload the Shibboleth IdP service so the new relying party takes effect.
- Click Test in Safeguard to confirm.
Common errors: an assertion that arrives with no email attribute means the attribute-filter policy isn't releasing mail to Safeguard's entity ID — check attribute-filter.xml.