Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Shibboleth

Configure a Shibboleth Identity Provider as a SAML 2.0 identity provider for Safeguard.

Shibboleth

  1. Add a relying party entry for Safeguard's SP metadata on your Shibboleth Identity Provider (metadata-providers.xml, or publish Safeguard's Metadata URL where your IdP can fetch it).
  2. Configure an attribute-filter policy releasing the mail attribute to Safeguard's entity ID as the NameID.
  3. Ensure the released attribute's SAML attribute name (or an attribute-resolver alias for it) is exactly email — separate from the NameID transform above; Safeguard reads this named attribute.
  4. Note your IdP's SSO endpoint (typically /idp/profile/SAML2/POST/SSO) and Entity ID (typically /idp/shibboleth), and export the IdP signing certificate.
  5. In Safeguard, click Add Provider → SAML 2.0 → Shibboleth, and enter the SSO endpoint, Entity ID, and certificate.
  6. Reload the Shibboleth IdP service so the new relying party takes effect.
  7. Click Test in Safeguard to confirm.

Common errors: an assertion that arrives with no email attribute means the attribute-filter policy isn't releasing mail to Safeguard's entity ID — check attribute-filter.xml.

On this page