SAManage

The general overview of the SAManage.com side is here: https://blog.samanage.com/company/saml-single-sign-on-support-samanage/

To configure Shibboleth to work with SAManage.com:

  • Configure your IdP to not encrypt assertions or nameIDs
  • Configure your IdP to release the user's email address as the NameID with a name format of
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
     

 

relying-party.xml

It is important to note here that you don't want encrypted assertions nor encrypted nameIDs

<RelyingParty id="SAManage.com" provider="urn:mace:incommon:uchicago.edu" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
        defaultSigningCredentialRef="IdPCredential">
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

attribute-resolver.xml

<resolver:AttributeDefinition id="mailNameId" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:Dependency ref="email" />
    
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    </resolver:AttributeDefinition>