SSO With Shibboleth

This guide explains how to configure Shibboleth as an OpenID Connect (OIDC) single sign-on (SSO) provider for StrongDM.

Steps

These instructions vary based on your organization's StrongDM region (not your individual location).

Create an application in Shibboleth

Sign in to your Shibboleth Identity Provider (IdP) admin console.
- For Shibboleth IdP version 4 and higher, OIDC configuration is managed through the OIDC OP Extension.
Register a new OIDC client:
- Redirect URI:
  https://app.strongdm.com/sso/callback
- Grant type: Authorization Code
- Response type: code
- Scopes: openid email profile
Record the generated Client ID and Client Secret.
Configure the attribute release consent so that the ID Token or UserInfo endpoint includes:
- email (required)
- name (recommended)
- groups (optional, for role mapping)

Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.

Create an application in Shibboleth

Sign in to your Shibboleth Identity Provider (IdP) admin console.
- For Shibboleth IdP version 4 and higher, OIDC configuration is managed through the OIDC OP Extension.
Register a new OIDC client:
- Redirect URI:
  https://app.uk.strongdm.com/sso/callback
- Grant type: Authorization Code
- Response type: code
- Scopes: openid email profile
Record the generated Client ID and Client Secret.
Configure the attribute release so that the ID Token or UserInfo endpoint includes:
- email (required)
- name (recommended)
- groups (optional, for role mapping)

Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.

Create an application in Shibboleth

Sign in to your Shibboleth Identity Provider (IdP) admin console.
- For Shibboleth IdP version 4 and higher, OIDC configuration is managed through the OIDC OP Extension.
Register a new OIDC client:
- Redirect URI:
  https://app.eu.strongdm.com/sso/callback
- Grant type: Authorization Code
- Response type: code
- Scopes: openid email profile
Record the generated Client ID and Client Secret.
Configure the attribute release so that the ID Token or UserInfo endpoint includes:
- email (required)
- name (recommended)
- groups (optional, for role mapping)

Configure in StrongDM

Log in to the StrongDM Admin UI.
Go to Settings > User Management > Single Sign-on.
Set Enable single sign-on? to Yes.
Choose Shibboleth from the Provider dropdown.
Enter the following information:
- Single sign-on URL: Your Shibboleth IdP’s authorization endpoint. For example:
  https://idp.example.org/idp/profile/oidc/authorize
- Client ID: Your client ID from Shibboleth
- Client Secret: Your client secret from Shibboleth
(Optional) Configure additional settings as desired, and then Save.

Last updated 2 months ago

Was this helpful?