Administration Guide : Set Up to Use SAML 2.0-based Single Sign On (SSO) for macOS : Configure SAML for Portal Sites (on macOS)

Configure SAML for Portal Sites (on macOS)
First you must set up the Xinet server to use SAML.See:
Remove the login.tmpl.html file
Move aside the login.tmpl.html file from the /Library/WebServer/Documents/<Portal Site>/templates folder. The name of the Portal site will vary depending on the name you chose when you created the Portal site.
For example:
> cd /Library/WebServer/Documents/Marquee/templates
> mv login.tmpl.html login.tmpl.html.orig
Rename SAML startup.php file
Replace the startup.php in the base folder of the site with the Xinet-provided SAML-startup.php file, which should already be present in the base folder. An example base site would look like /Library/WebServer/Documents/<Portal Site>.
For example,
> cp startup.php startup.php.orig
> cp SAML-startup.php startup.php
Rename SAML index.php file
Back up the existing index.php and replace it with the provided SAML-index.php, which should already be present in the base folder.
For example,
> cp index.php index.php.orig
> cp SAML-index.php index.php
Add CUSTOM_AUTH entries to
Edit in /Library/WebServer/Documents/<Portal Site>. Within the main <?php ... ?> tags, edit or add the following lines:
/* Enable Custom Authentication for SAML Support */
$CUSTOM_AUTH = true;
Install the file
Back up the existing, if it exists, and replace it with the provided, found in /usr/etc/portal/PORTAL/libs/.
For example,
> cp
> cp
Create Entity IDs for each Portal site
The entity IDs must be unique and we recommend only alphanumeric characters and the period. For example, in the Xinet Setup page we selected the following:
Update the Metadata on the IdP
The should have been run to create the entry for the Xinet server.
The saml20-sp-remote.php file is in /var/simplesamlphp/metadata/ on the IdP server. In it, copy the $metadata entry made for the Xinet Server earlier in this document and add it as a new entry. (If the $metadata entry is missing, your Xinet server may not yet be configured to use SAML; see the prerequisites at the beginning of this section.) You should now have two entries that are identical.
Edit the following lines in only the copied entry using your specific values for entity ID, Portal IP address or hostname, and Portal Site Name. All other lines remain unchanged.
The lines that need changes are the entity IDs in the first two lines, the 'Location' line under AssertionConsumerService, and the 'Location' line under SingleLogoutService:.
$metadata['<entity ID>'] = array (
'entityid' => '<entity ID>',
'contacts' =>
array (
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://<Portal Server IP Address or Hostname>/<Portal Site Name>/startup.php',
'index' => 0,
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://<Portal Server IP Address or Hostname>/<Portal Site Name>',
(Google IdP)
Google IdP requires the following information, shown in the images after.
Create Files Entry on the Xinet server
Edit the <Directory /usr/etc/webnative> section of /etc/httpd/conf/httpd.conf on the Xinet server. Make sure to edit so that you are using the values specific to your machine. The entries should follow this format and you will need to supply the Portal Site Name, entity ID, and the IP address or hostname of the Portal server:
<Files portal.<Portal Site Name>>
    MellonSPentityId "<entity ID>"
    MellonEndpointPath "/webnative/portal.<Portal Site Name>/mellon"
    MellonProxySAMLDest "http://<Portal Server IP Address or hostname>/<Portal Site Name>/startup.php"
So, for example a site called Marquee configuration would look like this:
<Files portal.Marquee>
    MellonSPentityId "xinet.PortalServer.Marquee"
    MellonEndpointPath "/webnative/portal.Marquee/mellon"
    MellonProxySAMLDest ""
Restart Apache
Finally, restart Apache on the Xinet server:
> apachectl restart