Kion

Owned by Justin Robinson
Sept 26, 2022
2 min read

This document provides references for integrating Shibboleth with Kion.

Background Information

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

An identity provider integration in Kion is considered an IDMS (Identity Management System). Shibboleth will integrate with Kion using the generic SAML2 IDMS profile.

Identity Provider Metadata

Identity Provider Metadata is consumed by Kion as part of the IDMS setup process. The entire XML document is pasted into the IDMS configuration field titled Identity Provider Metadata.

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

Service Provider Metadata

Service Provider Metadata is made available in Kion after you have completed the configuration of the IDMS. You can only download this data when you are logged-in to the platform.

To download the Service Provider Metadata, follow these steps:

  1. Navigate to Users > Identity Management Systems.

  2. Select the dots menu to the right on the line of the IDMS associated with Shibboleth. In the menu, choose Download Metadata.

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

Profile Requirements

The default configuration provided by the setup documentation has you disable signing and encrypted assertions. Encrypted assertions are supported by Kion but that configuration has not been tested with Shibboleth at this time.

NameID is not used by Kion at this time.

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

Accounting Provisioning

Kion provisions new users upon first-login. Kion does not support SCIM at this time.

User permissions are accomplished using User Group Associations. The default configuration provides for passing group assertions in the field ADmembership. The example in the configuration documentation should yield a sufficient minimum configuration to get started.

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

NamedID Requirements

NameID is not used by Kion at this time.

Attribute Requirements

You should plan to provide the following fields for each user at a minimum:

  • Email address

  • First Name

  • Last Name

  • Username/ID

The default configuration provides for passing these fields over as expected. The user's login name in Kion will be the value of the Username/ID field passed over. In the example configuration, this is the uid value from Shibboleth.

You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.

Other Considerations

You can reconfigure the login experience for users so that Shibboleth is the default login option shown at the top of the login screen. This configuration is located in the Settings > System Settings > Login screen. Change these values:

  • Select Default IDMS - choose your IDMS for Shibboleth from this box.

  • Prioritize SAML Login - set this to On.

Ensure that you Save the settings once you've made your changes.

While you can require that all of your end-users make use of Shibboleth for login, you will always have a single administrative user in the Internal Directory IDMS that is used for emergency recovery purposes. Ensure that this user's password is recorded in secure password storage and enable MFA for this account if possible.