rConfig - SSO with Shibboleth

2 mins V7 Pro

Identity Provider	rConfig Version	Tested
Shibboleth	7.1.0	Yes

To setup Shibboleth SSO Sign in, you will need to configure your Identity Provider and rConfig. The steps below will guide you through the process.

WARNING: You are responsible

Shibboleth is an opinionated IDP used mostly in Educational institutions. Its setup and configuration is outside the scope of this document, and you should consult your Shibboleth documentation for more information.

2. Configure your Shibboleth Identity Provider

Create a new application for Shibboleth

Setup Shibboleth for a new application, and download the metdata.xml The below Harvard link is an excellent resource for setting up the Shibboleth side for rConfig. https://www.iam.harvard.edu/resources/saml-shibboleth-integration

3. Upload the metadata.xml file

Upload your metadata.xml file to /var/www/html/rconfig/storage/saml/metadata.xml. This is the file that rConfig will use to authenticate users.

3.1. Create a symlink to the metadata.xml file to the public directory of rConfig. Run the following command:

ln -s /var/www/html/rconfig/storage/saml/metadata.xml /var/www/html/rconfig/public/metadata.xml

YYou will need to recreate this link after each update of rConfig as it will be overwritten. Please write this in to your internal documentation. You are welcome to host the xml file on another server, which rConfig can reference below.

3.2. Create a link to the metadata.xml file in the rConfig .env file. Edit the rConfig .env file, located at /var/www/html/rconfig7/current/.env and add or edit the following lines :

 SAML2_METADATA_URL='https://vega.rconfig.com/metadata.xml'
 SAML2_SP_CERTIFICATE='/var/www/html/rconfig7/persistentdata/storage/saml2/sp-cert.pem'
 SAML2_SP_PRIVATE_KEY='/var/www/html/rconfig7/persistentdata/storage/saml2/sp-key.pem'

Save the file, exit and run the following command

 php artisan rconfig:clear-all

If everything is setup correctly, a new login button will appear on the login page. See the screenshot below.

Users are not automatically granted access to the application by default when they sign in using SSO. They will need to be approved before they can login to rConfig. See the User Management section for more information. They will get the error below until they area approved by an admin. They will also need a role assigned to them to access the application.

Please check out our YouTube video on this topic.