Shibboleth (SSO) Integration


Shibboleth (SSO) Integration

Shibboleth can integrate with Kion as a single sign-on identity provider.


  • You must have access to edit Shibboleth configuration files.
  • You must have administrator-level access in Kion to create a new IDMS configuration.
  • We recommend installing a SAML tracing tool in your browser for troubleshooting. Being able to see the SAML elements being exchanged by both systems makes it easier to identify issues. For more information, see Tracing SAML Logins.

Configuring Kion

  1. Login to Kion as an administrator.
  2. Navigate to Users > Identity Management Systems.
  3. Click Add New.
  4. Select SAML 2.0 as the IDMS Type.
  5. Enter a name for the IDMS. Users see this name when selecting the IDMS on the Kion login page.
  6. Enter your Identity Provider Issuer (Entity ID). This is obtained from your Shibboleth IDP metadata. The ID is located in the XML as the entityID attribute of the EntityDescriptor tag.
  7. Copy the Service Provider Issuer (Entity ID) field to a text file. This will be needed while configuring Shibboleth.
  8. For the Assertion Mapping First Name, enter urn:oid:
  9. For the Assertion Mapping Last Name, enter last_name
  10. For the Assertion Mapping Email, enter urn:oid:0.9.2342.19200300.100.1.3
  11. For the Assertion Mapping Username, enter urn:oid:0.9.2342.19200300.100.11
  12. Click Create IDMS.
  13. On the IDMS details page, click the ellipsis menu and select Download Metadata. This downloads the Kion metadata for configuring Shibboleth.
  14. Locate the downloaded metadata file and rename it as kion.xml.

Configuring Shibboleth

  1. Store the kion.xml file in your metadata directory (%{idp.home}/metadata).
  2. Edit the metadata-providers.xml file and add:
    <MetadataProvider id="Kion"
    failFastInitialization="false" />
  3. Edit the attribute-filter.xml file and add the following, replacing the [SPID] with the Service Provider Issuer (Entity ID) you copied during the Kion configuration.
    <AttributeFilterPolicy id="Kion">
    	<PolicyRequirementRule xsi:type="Requester" value="[SPID]" />
    	<AttributeRule attributeID="Email">
    		<PermitValueRule xsi:type="ANY" />
    	<AttributeRule attributeID="last_name">
    		<PermitValueRule xsi:type="ANY" />
    	<AttributeRule attributeID="first_name">
    		<PermitValueRule xsi:type="ANY" />
    	<AttributeRule attributeID="uid">
    		<PermitValueRule xsi:type="ANY" />
    	<AttributeRule attributeID="ADmembership">
    		<PermitValueRule xsi:type="ANY" />
  4. Edit the relying-party.xml file and add the following, replacing the [SPID] with the Service Provider Issuer (Entity ID) you copied during the Kion configuration.
    <bean parent="RelyingPartyByName" c:relyingPartyIds="[SPID]">
    	<property name="profileConfigurations">
    			<bean parent="SAML2.SSO"


  1. Open an incognito session in your browser.
  2. Go to the login page for your instance of Kion.
  3. Click the button with the name of the IDMS you just created.
  4. Authenticate with Shibboleth to log in to Kion.

If you experience a failure during this process:

  • If you fail during the portion of the session where you authenticate with Shibboleth, troubleshoot the Shibboleth configuration. It's possible you may need to adjust additional relying party configuration variables for your Kion profile. For more information, see Shibboleth's article ProfileConfiguration-SAML.
  • If you fail during the portion of the session where you are redirected back to Kion, compare your Kion configuration to the one detailed above. If you are unable to resolve this problem, please reach out to Kion Support.