Kion
This document provides references for integrating Shibboleth with Kion.
Background Information
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
An identity provider integration in Kion is considered an IDMS (Identity Management System). Shibboleth will integrate with Kion using the generic SAML2 IDMS profile.
Identity Provider Metadata
Identity Provider Metadata is consumed by Kion as part of the IDMS setup process. The entire XML document is pasted into the IDMS configuration field titled Identity Provider Metadata.
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
Service Provider Metadata
Service Provider Metadata is made available in Kion after you have completed the configuration of the IDMS. You can only download this data when you are logged-in to the platform.
To download the Service Provider Metadata, follow these steps:
Navigate to Users > Identity Management Systems.
Select the dots menu to the right on the line of the IDMS associated with Shibboleth. In the menu, choose Download Metadata.
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
Profile Requirements
The default configuration provided by the setup documentation has you disable signing and encrypted assertions. Encrypted assertions are supported by Kion but that configuration has not been tested with Shibboleth at this time.
NameID is not used by Kion at this time.
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
Accounting Provisioning
Kion provisions new users upon first-login. Kion does not support SCIM at this time.
User permissions are accomplished using User Group Associations. The default configuration provides for passing group assertions in the field ADmembership
. The example in the configuration documentation should yield a sufficient minimum configuration to get started.
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
NamedID Requirements
NameID is not used by Kion at this time.
Attribute Requirements
You should plan to provide the following fields for each user at a minimum:
Email address
First Name
Last Name
Username/ID
The default configuration provides for passing these fields over as expected. The user's login name in Kion will be the value of the Username/ID
field passed over. In the example configuration, this is the uid
value from Shibboleth.
You can find detailed, step-by-step instructions on how to integration Shibboleth with Kion in the official integration guide from Kion.
Other Considerations
You can reconfigure the login experience for users so that Shibboleth is the default login option shown at the top of the login screen. This configuration is located in the Settings > System Settings > Login screen. Change these values:
Select Default IDMS - choose your IDMS for Shibboleth from this box.
Prioritize SAML Login - set this to On.
Ensure that you Save the settings once you've made your changes.
While you can require that all of your end-users make use of Shibboleth for login, you will always have a single administrative user in the Internal Directory
IDMS that is used for emergency recovery purposes. Ensure that this user's password is recorded in secure password storage and enable MFA for this account if possible.