Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Setup with Shibboleth

Learn how to configure SSO with Shibboleth as your SAML identity provider

Overview

Shibboleth can be configured as a SAML 2.0 identity provider, with Foundry acting as the service provider for single sign‑on.

This article highlights Shibboleth‑specific considerations that commonly affect Foundry SSO, including metadata handling and NameID configuration.

Add Shibboleth Metadata in Foundry

When adding your identity provider configuration in Foundry, you can supply Shibboleth metadata using either a metadata URL or an uploaded XML file.

Tip: If Foundry is unable to parse your identity provider’s metadata URL, upload the metadata as a file instead by selecting Upload XML Metadata.

Learn more: Set Up Your Identity Provider in Foundry.

NameIDFormat Requirements

Foundry’s service provider metadata includes the following NameIDFormat:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Shibboleth default behavior may automatically issue a transient NameID when it encounters an unspecified format. Foundry does not support transient NameID values.

You must configure Shibboleth to send a non‑transient, persistent identifier that matches the value stored in the user’s SSO ID field in Foundry.

Common NameID choices include:

  • Email address
  • Student or employee ID
  • Another persistent institutional identifier

Foundry does not require a specific NameID format, as long as the value is consistent and not transient.

Configuring a Preferred NameIDFormat (Example)

Some institutions override NameID behavior in Shibboleth using configuration files such as saml-nameid.xml and relying-party.xml.

A typical approach includes:

  • Defining a NameID generator for the identifier you want to send (for example, employee ID or email)
  • Adding a relying party override for your Foundry service provider entity ID
  • Ensuring the same NameID format is referenced consistently across configurations

Shibboleth implementations vary by institution. If you need additional guidance beyond these examples, consult your Shibboleth administrator or the Shibboleth community.

FAQ: SP‑Initiated SSO Error

Why does my institution see an error when users click the SSO login button in Foundry?

If learners see an immediate error on the institution’s login page stating that the request does not meet security requirements, this usually indicates a certificate or entity ID mismatch.

To resolve this:

  • Confirm your identity provider has the correct Foundry signing certificate
  • Verify the Foundry entity ID matches what is configured in Shibboleth
  • Check for recent certificate changes that may require an update