Using the SAML SP Plugin with a Shibboleth IdP

[sgurnick]

I'm running Craft 3.6.10 with the SAML SP plugin 2.6.6.

The IdP that I will be integrating with is a Shibboleth IdP. First off, is Shibboleth supported with this plugin? It uses standard SAML2.0, but I know each IdP has it's own idiosyncrasies.

If Shibboleth is supported as an IdP, I need to specify the attributes to be included in the SAML response after a successful log-in.

Looking at the SAML SP plugin configuration for setting-up a New Identity Provider (IDP), it says the NameID will be used for the Craft user's username. I understand I may need to map this accordingly, however it appears the plugin is expecting a URL of the form http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to identify the attributes.

I believe our Shibboleth IdP provides attributes using the URN/OID naming convention - for example:

• urn:oid:2.16.840.1.113730.3.1.241 - displayName
• urn:oid:0.9.2342.19200300.100.1.3 - mail
• urn:oid:2.5.4.3 - cn

Does this plug-in support identifying and mapping attributes in this manner?

[dsmrt]

👋 @sgurnick,

Yes, the plugin should support all of this. When you configure the IdP, you map the field values as needed (So field name from the SAML Assertion attributes like urn:oid:0.9.2342.19200300.100.1.3 to the Craft field names, like Email) There's also an nameIdOverride field you can use to map the attribute you'd like to use for the Craft username.

Honestly, I don't have much experience with Shibboleth IdPs so I would be interested in any issues that you run into with configuration. As far as I've understood, it should work fine with the SAML 2.0 protocol which is the goal of the plugin.

Let me know how this goes and if you any other questions, please reach out!

[dsmrt]

Closing cause I'm not sure if there's anything else needed. Let me know if there is!