This guide will describe how to get Shibboleth 3.2.x working with Kiteworks (aka Accellion). Currently the vendor does not have documentation on this integration, here is how I got it working.

1 Shibboleth IDP Configuration
- 1.1 metadata-providers.xml
- 1.2 relying-party.xml
- 1.3 saml-nameid.xml
- 1.4 attribute-filter.xml
2 Within the Kiteworks UI

Shibboleth IDP Configuration

In the code below:

Replace SPName with the name you provide within the Kiteworks UI (shown below).

----------

metadata-providers.xml

<MetadataProvider id="SPName"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" 
metadataFile="%{idp.home}/metadata/SPName.xml" 
failFastInitialization="false" />

Note: metadata generated from the appliance will expire, ensure to remove the validUntil and cacheDuration entries within the metadata file.

relying-party.xml

<bean parent="RelyingPartyByName"
	c:relyingPartyIds="SPName">
		<property name="profileConfigurations">
			<list>
				<bean parent="SAML2.SSO"
				p:encryptAssertions="false"
				/>
			</list>
		</property>
</bean>

saml-nameid.xml

  <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
	p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	p:attributeSourceIds="#{ {'mail'} }">
	<property name="activationCondition">
		<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="SPname" />
	</property>
</bean>

attribute-filter.xml

<AttributeFilterPolicy id="SPName">
  <PolicyRequirementRule xsi:type="OR">
				 <Rule xsi:type="Requester" value="SPName"  />
  </PolicyRequirementRule>
  <AttributeRule attributeID="mail">
				 <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

Kiteworks (Accellion) IntegrationGuide

Shibboleth IDP Configuration

metadata-providers.xml

relying-party.xml

saml-nameid.xml

attribute-filter.xml

Within the Kiteworks UI