Preamble
Connecting the LockSelf application to an identity federation is done via the SAMLv2 protocol. It is therefore possible to connect the application to your Shibboleth IDP.
Note: depending on the installation and the version of Shibboleth used, the elements presented may vary slightly.
Step 1: Upload the IDP metadata to LockSelf
This first step consists of retrieving the metadata file from your IDP.
Retrieve the URL or metadata file and enter it in the LockSelf application. For this, refer to this documentation: SSO Interconnection Configuration (private cloud only).
Step 2: Retrieve the application metadata
Once you have uploaded your IDP metadata file to LockSelf, you will be able to retrieve the application metadata that you will use to create the connector at the following URL:
(where FQDN replaces the domain name of your LockSelf installation)
Step 3: Update the metadata-providers.xml file
This third step will add LockSelf to your list of service providers.
You will need to add the following element to this file:
<MetadataProvider id="LockSelf"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/lockself-metadata.xml"
disregardTLSCertificate="true"
metadataURL="https://FQDN/saml2/metadata">
</MetadataProvider>- "BackingFile" must correspond to the path where the LockSelf application metadata can be retrieved (retrieved in Step 2).
- "MetadataURL" must correspond to the URL for accessing LockSelf metadata. FQDN must be replaced by the domain name chosen for your installation.
Step 4: Prepare the attributes
You must now prepare the attributes that will be sent by the IDP to the application. As a reminder, the three attributes to send are:
- firstname (containing the user's first name)
- lastname (containing the user's last name)
- mail (containing the user's email)
In the attribute-filter.xml file, you will need to create these attributes if they are not already defined. For example:
<AttributeFilterPolicy>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>Step 5: Attribute binding
Once the attributes are created and usable, you will need to create the rules that will bind a user's attributes to the name expected by the LockSelf application.
To do this, you will need to modify the attribute-resolver-ldap.xml file based on the example below:
<!-- LockSelf -->
<resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="firstname" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="lastname" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="mail" />
</resolver:AttributeDefinition>- "sourceAttributeID" corresponds to the values from your IDP. This value must be adapted according to the IDP configuration.
Step 6: Verify the connection
Once these steps are completed, you will be able to test the connector:
-
Step 1: To test correctly, open a private browsing window and go to your infrastructure URL (https://FQDN/?sso). If you are using the browser extension, click on the gear icon, then on "Clear cache".
-
Step 2: On the SSO tab, enter your email in the displayed field or click directly on the "Sign in" button.
- If this does not work, on the login page, click on the gear icons in the top right corner, and verify that in the API URL field there is /api/ at the end of the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc...
- If this does not work, on the login page, click on the gear icons in the top right corner, and verify that in the API URL field there is /api/ at the end of the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc...
-
Step 3: You will be redirected to your organization's Shibboleth SSO portal where you can authenticate.
- Step 4: Once authenticated, you will be redirected to LockSelf, which will ask you to create the PIN code associated with your account.
Refer to this documentation if needed: SSO (Single Sign-On) connection.
Step 7: Update the connector
A signing certificate / token encryption update sometimes needs to be performed on the Shibboleth connector.
In this case, you will need to update the new IDP metadata file in the Settings tab of the Administrator account, in the SSO module. For this, refer to this documentation: SSO Interconnection Configuration.
Updated