Before you begin
Before setting up your new Shibboleth configuration, you'll want to work with your IT staff on the following:
- Your IT staff must add Springshare as an authorized service provider using the appropriate Entity ID for your region unless your site automatically adds InCommon service providers (see the InCommon Federation Technical Guide for more info). When setting up a manual SAML configuration, you will find a link to the Entity ID at the top of the Configuration tab.
- Obtain the URL to your SAML Metadata XML file from your IT staff.
- If you use Shibboleth, 2.x and above, ask your IT staff if your system uses a custom logout URL. This URL can be used with LibAuth.
- Obtain the attributes used for First Name, Last Name, and Email from your IT staff. For attribute release, use the following Name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- If you want to set up optional group permissions, you'll need to know the names of certain attributes (such as status or department), along with their possible values.
- For example, if you have an attribute for "Department", you'll want to know the names of the departments that you can pick from.
- This will allow you to create group permissions so you can restrict access to things by a department.
LibApps Admin users can create and manage LibAuth configurations by going to LibApps > Admin > LibAuth Authentication.
From the Admin > LibAuth Authentication page:
- If you have not yet created a LibAuth configuration, skip to Step 2. Otherwise, click on the Add Configuration button to create another one.
- Below the Search for Your Institution dropdown, click on the Manual Configuration link.
- Select SAML/Shibboleth/ADFS as your authentication protocol.
- Configure your server information & parameters.
- Select "No" for the InCommon membership option.
- Select "No" for the UK Federation membership option.
- Enter the URL to your SAML metadata XML file.
- If you use Shibboleth 2.x and have a custom logout URL, enter that to use it with LibAuth.
- Configure the attributes released from your server.
- Enter the field name of the attribute that contains the user's first name (optional, but recommended).
- Enter the field name of the attribute that contains the user's last name (optional, but recommended).
- Enter the field name of the attribute that contains the user's email address (required).
- Give your configuration a name.
- If you'd like, you can also provide notes or details about this configuration for your reference.
- Click the Save Configuration button.
- Learn how to add group permission rules to your new configuration.
- Learn how to allow users to log in to LibApps with this configuration.
- This gives you the option to only allow users to log in via your SSO.
- Learn how to test and troubleshoot your Shibboleth configuration.