...
For questions you can contact me at jkhong@usc.edu
Shibbolizing uPortal 3.1.1
| Note |
|---|
For some reason, everytime I (Gary) hit https:/.../uPortal now in a fresh new browser, it logs in via Shib, even though only /uPortal/Login is Shib'd. I think it should only be hitting /uPortal/Login when the user clicks on the link. |
| Note |
|---|
For support with Shibboleth setup and getting REMOTE_USER header populated, please work with your local SP and IdP admins and/or use the shibboleth-users list. |
- If using Tomcat, be sure to set the attribute tomcatAuthentication="false" in the AJP connector in tomcat's server.xml. Otherwise, REMOTE_USER may not be passed in.
- In security.properties, James said to add:
To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN, you can comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like:Code Block root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactoryCode Block ## This is the factory that supplies the concrete authentication class #root=org.jasig.portal.security.provider.UnionSecurityContextFactory #root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory #root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory - in userContext.xml, James said to remove:
and addCode Block <bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />Code Block <bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" /> - James said to modify CLogin/html.xsl (apache-tomcat-6.0.18/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl). You'll want to make sure that the login link is similar to href="Login" (which for example goes to /uPortal/Login). Unless you know of a way to Logout of Shibboleth and uPortal, you might want to have the Logout link direct to a page you create that tells the user to close the browser completely to Logout, but that solution might not be acceptable for all institutions. Here is an example of the section in html.xsl that should change:
Code Block <!-- This is a modification of the uP 3.1.1 CLogin/html.xml code. I left a lot of the CAS stuff, which is not necessary, as Shib is used for authN. --> <xsl:when test="$casLoginUrl!= ''"> <div id="portalCASLogin" class="fl-widget-content"> <a id="portalCASLoginLink" href="Login" title="Sign In"> <span>Sign In <span class="via-cas">with Shibboleth</span></span> </a> <p>New user? <a id="portalCASLoginNewLink" href="...link to URL with information on how to get a user id that works with Shib..." title="New User">Start here</a>.</p> </div> </xsl:when> - Install/setup Shibboleth if you haven't already.
- Configure Shibboleth or mod_shib to protect /uPortal/Login, and restart it (and apache if using mod_shib and its config changed).
- Be sure that REMOTE_USER is being populated with the desired username. To verify REMOTE_USER is getting passed from Shibboleth, you can look at the HTTP headers coming from the Shibboleth SP. For example you may choose to have Shibboleth guard this small PhP script (thanks to David Eisinger) that can show HTTP headers. If you aren't getting REMOTE_USER, talk to your SP/IdP admin or mail the shibboleth-users list to get assistance:
Code Block <pre><? print_r(apache_request_headers()); ?></pre> - Restart uPortal.
- If you login with a user that is not already in the database, you may see the "Welcome Unrecognized person: (some id)" at the top of the page.