Skip to main content
OCLC Support

Basic SAML setup in EZproxy

  1. Last updated
  2. Save as PDF

Symptom

  • While the SAML authentication page provides everything needed, this simplified page offers the basics to help configure SAML authentication in EZproxy.

Applies to

  • EZproxy

Resolution

If SAML is already being used, the same EZproxy metadata can be used for the new IdP.

For the IdP's metadata, if the IdP has a retrieval URL that works best. This is makes it easier if the metadata is ever updated since it will automatically be updated in EZproxy. Otherwise, the metadata can only be provided in the file.

  •  In config.txt:
ShibbolethMetadata \
-EntityID=EZproxyEntityID (matches what is set in the EZproxy metadata) \
-File=MetadataFile (with metadata from the IdP)   \
-URL=URL to retrieve the IdP's metadata \
-SignResponse=false -SignAssertion=true -EncryptAssertion=false \
-Cert=EZproxyCertNumber (from the Manage SSL page in the admin screen for the certificate the EZproxy metadata is from)

The SignResponse/SignAssertion/EncryptAssertion line might need to be adjusted based on the IdP setup. The messages.txt should show how this needs to be adjusted.

  • In user.txt, to test using SAML (and continue your existing authentication for regular EZproxy use), use this instead. Place before the existing ::Shibboleth block in user.txt if there is another SAML being used:
::auth=test, Shibboleth
Group NULL
IDP20 IDP to your SAML (must match what is in the SAML metadata)
/Shibboleth

To test, use a URL like https://your.ezproxy.url/login?auth=test

  • When ready to switch to the new SAML, update the user.txt with this:
::Shibboleth
Group NULL
IDP20 IDP to your SAML (must match exactly what is in the EntityID from the IdP's metadata)
/Shibboleth

  • shibuser.txt - at a minimum, a user ID needs to be set. Other mappings can be added if needed. This example uses NameID; this can be changed to how the user ID is being returned by the IdP:

Set login:loguser = auth:NameID

To see how attributes are being returned from the IdP, go to Manage Shibboleth in the EZproxy admin page and use the tool to show attributes from this Identity Provider.

 

For hosted EZproxy systems, support will configure this for you. Contact OCLC Support

For stand-alone EZproxy systems that need additional help, contact OCLC Support

 

Page ID

66258