Basic SAML setup in EZproxy

Symptom

• While the SAML authentication page provides everything needed, this simplified page offers the basics to help configure SAML authentication in EZproxy.

Applies to

• EZproxy

Resolution

• Use this page to create the EZproxy metadata 

If SAML is already being used, the same EZproxy metadata can be used for the new IdP.

For the IdP's metadata, if the IdP has a retrieval URL that works best. This is makes it easier if the metadata is ever updated since it will automatically be updated in EZproxy. Otherwise, the metadata can only be provided in the file.

•  In config.txt:

ShibbolethMetadata \
-EntityID=EZproxyEntityID (matches what is set in the EZproxy metadata) \
-File=MetadataFile (with metadata from the IdP)   \
-URL=URL to retrieve the IdP's metadata \
-SignResponse=false -SignAssertion=true -EncryptAssertion=false \
-Cert=EZproxyCertNumber (from the Manage SSL page in the admin screen for the certificate the EZproxy metadata is from)

The SignResponse/SignAssertion/EncryptAssertion line might need to be adjusted based on the IdP setup. The messages.txt should show how this needs to be adjusted.

• In user.txt, to test using SAML (and continue your existing authentication for regular EZproxy use), use this instead. Place before the existing ::Shibboleth block in user.txt if there is another SAML being used:

::auth=test, Shibboleth
Group NULL
IDP20 EntityID for your SAML (must match exactly what is in the EntityID from the IdP's metadata)
/Shibboleth

To test, use a URL like https://your.ezproxy.url/login?auth=test

• When ready to switch to the new SAML, update the user.txt with this:

::Shibboleth
Group NULL
IDP20 EntityID for your SAML (must match exactly what is in the EntityID from the IdP's metadata)
/Shibboleth

• shibuser.txt - at a minimum, a user ID needs to be set. Other mappings can be added if needed. This example uses NameID; this can be changed to how the user ID is being returned by the IdP:

Set login:loguser = auth:NameID

If already using a different SAML, to set something in the shibuser.txt just for the new SAML use auth:issuer looking for your SAML's EntityID to identify it. For example, this will turn on logging the SAML response in messages.txt for the specified IdP (but not any others):

If auth:issuer eq "EntityID for your SAML"; msgauth

To see how attributes are being returned from the IdP, go to Manage Shibboleth in the EZproxy admin page and use the tool to show attributes from this Identity Provider.

For hosted EZproxy systems, support will configure this for you. Contact OCLC Support

For stand-alone EZproxy systems that need additional help, contact OCLC Support

Page ID