DNN SAML Single Sign-On (SSO) with Shibboleth as IDP
DNN SAML Single Sign-On (SSO) authentication provider gives the ability to enable SAML Single Sign-On for your DotNetNuke applications. Using Single Sign-On you can use only one password to access your DotNetNuke application and services. Our authentication provider is compatible with all the SAML-compliant identity providers. Here we will go through a step-by-step guide to configure Single Sign-On (SSO) between DotNetNuke and Microsoft Entra ID (formerly Azure AD) considering Azure AD as IDP.
Download and Install the authentication provider in DotNetNuke
- Download the package for DNN SAML Single Sign-On (SSO) authentication provider.
- Upload the installation package dnn-saml-single-sign-on_xxx_Install by going in Settings > Extension > Install Extension.
Steps to configure Azure ad Single Sign-On (SSO) Login into DotNetNuke
1. Add SAML Authentication Provider on DNN page
- Now under the Installed extensions tab select Authentication Systems.Here you can see the miniOrange DNN SAML Authentication Plugin.
- Just Click on the pencil icon as mentioned in the image below to configure the DNN SAML Authentication Provider.
- Now go to the site settings tab. Here you can see the DNN OAuth Authentication Provider Dashboard.
- Now go to the site settings tab. Here you can see the DNN SAML Authentication Provider Dashboard.
- You have finished with the Installation of the authentication provider on your DNN site.
2. Setup Shibboleth as Identity Provider
- Select your identity provider Shibboleth from the list shown below.
- There are two ways detailed below with which you can get the SAML SP metadata to configure onto your identity provider end.
- Under Service Provider Settings, you can find the metadata URL as well as the option to download the SAML metadata.
- Copy metadata URL or download the metadata file to configure the same on your identity provider end.
- You may refer to the screenshot below:
- Under the Service Provider Settings section, you can manually copy the service provider metadata like Base URL, SP Entity ID, ACS URL and share it with your identity provider for configuration.
- You may refer to the screenshot below:
-
In conf/idp.properties, uncomment and set 'idp.encryption.optional' to
true.
eg. idp.encryption.optional = true - In conf/metadata-providers.xml, configure Service Provider like this
- In conf/saml-nameid.properties, uncomment and set default NameID as Email Address like this
- In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators. Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans
- Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
- Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.
- Restart the Shibboleth server.
- You need to configure these endpoints in the miniOrange SAML plugin.
A] Using SAML metadata URL or metadata file:
B] Uploading metadata manually:
<MetadataProvider xmlns:samlmd="urn:oasis:
names:tc:SAML:2.0:metadata"
id="miniOrangeInLineEntity" xsi:type="InlineMetadata
Provider"
sortKey="1">
<samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID /
Issuer
from Service Provider Info tab in plugin.>"
validUntil="2020-09-06T04:13:32Z">
<samlmd:SPSSODescriptor AuthnRequests
Signed="false"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:
tc:SAML:2.0:protocol">
<samlmd:NameIDFormat>
urn:oasis:names:tc:SAML:
1.1:nameid-format:emailAddress
</samlmd:NameIDFormat>
<samlmd:AssertionConsumerService
Binding="urn:oasis:names:tc:
SAML:2.0:bindings:HTTP-POST"
Location="<ACS (AssertionConsumerService) URL from
Step1 of
the plugin under Identity Provider Tab.>"
index="1" />
</samlmd:SPSSODescriptor>
</samlmd:EntityDescriptor>
</MetadataProvider>
idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
<!-->ref bean="shibboleth.SAML2PersistentGenerator" /> -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'email'} }" />
</util:list>
<!-- Note: AttributeDefinitionid must be same as what
you provided in
attributeSourceIds in conf/saml-nameid.xml -->
<resolver:AttributeDefinitionxsi:type="ad:Simple"
id="email"
sourceAttributeID="mail">
<resolver:Dependency ref="ldapConnector" />
<resolver:AttributeEncoderxsi:type="enc:SAML2String"
name="email"
friendlyName="email" />
</resolver:AttributeDefinition >
<resolver:DataConnector id="ldapConnector"
xsi:type="dc:LDAPDirectory"
ldapURL="%{idp.authn.LDAP.ldapURL}"
baseDN="%{idp.authn.LDAP.baseDN}"
principal="%{idp.authn.LDAP.bindDN}"
principalCredential="%{idp.authn.LDAP.bindDNCredential}">
<dc:FilterTemplate>
<!-- Define you User Search Filter here -->
<![CDATA[
(&(objectclass=*)
(cn=$requestContext.principalName)) ]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>*</dc:ReturnAttributes>
</resolver:DataConnector>
<afp:AttributeFilterPolicy id="ldapAttributes">
<afp:PolicyRequirementRulexsi:type="basic:ANY"/>
<afp:AttributeRuleattributeID="email">
<afp:PermitValueRulexsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
| IDP Entity ID | https://<your_domain>/idp/shibboleth |
| Single Login URL | https://<your_domain>/idp/profile/SAML2/Redirect/SSO |
| Single Logout URL | https://<your_domain>/idp/shibboleth |
| X.509 Certificate | The public key certificate of your Shibboleth server |
You have successfully configured Shibboleth as SAML IdP ( Identity Provider) for achieving Shibboleth SSO login into your DotNetNuke (DNN) Site.
3. Configure DNN SAML Authentication Provider as Service Provider
- For configuring application in the authentication provider, click on the Add new IdP button in the Identity Provider Settings tab.
- Select Shibboleth from the list. You can also search for your Identity Provider using the search box.
- Under the Service Provider Settings tab,download SP metadata as a XML document or copy the metadata url.
- Alternatively, copy and paste the SP Entity ID and ACS Url from the SP metadata Table to Shibboleth configuration page.
- To upload IdP's metadata, you can use the Upload IdP metadata button under the Identity Provider Settings tab, if you have the IdP metadata URL or the IdP metadata .xml file.
- Alternatively, you can copy the IDP Entity ID and Single Sign-On Url values from the IdP and fill them up under the Identity Provider Settings tab.
A] Select your Identity Provider
B] Configure your Identity Provider
C] Configure your Service Provider
4. Testing SAML SSO
- Click the Test Configuration button to verify if you have configured the plugin correctly.
- On successful configuration, you will get Attribute Name and Attribute Values in the Test Configuration window.
You can even configure the ASP.NET SAML Single Sign-On (SSO) module with any identity provider such as ADFS, Microsoft Entra ID (formerly Azure AD), Bitium, centrify, G Suite, JBoss Keycloak, Okta, OneLogin, Salesforce, AWS Cognito, OpenAM, Oracle, PingFederate, PingOne, RSA SecureID, Shibboleth-2, Shibboleth-3, SimpleSAML, WSO2 or even with your own custom identity provider. To check other identity providers, click here.
Additional Resources
- DNN SAML Single Sign-On (SSO)
- DNN OAuth Single Sign-On (SSO)
- ASP.NET SAML Single Sign-On (SSO)
- nopCommerce SAML Single Sign-On (SSO)
- Umbraco SAML Single Sign-On (SSO)
Need Help?
Not able to find your identity provider? Mail us on dnnsupport@xecurify.com and we'll help you set up SSO with your IDP and for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
×
![ADFS_sso]()
Hello there!
Need Help? We are right here!
