Versions Compared

Old Version 3

changes.mady.by.user Eric Dalquist

Saved on

compared with

New Version 4

changes.mady.by.user Eric Dalquist

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation.

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. Install and configure uPortal - get it running on its own without Shib.
  3. Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).
  4. Configure httpd server to protect uri '/uPortal/Login' 
  5. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.

Shibbolizing uPortal 3.1.1

Note

For some reason, everytime I (Gary) hit https:/.../uPortal now in a fresh new browser, it logs in via Shib, even though only /uPortal/Login is Shib'd. I think it should only be hitting /uPortal/Login when the user clicks on the link.

Note

For support with Shibboleth setup and getting REMOTE_USER header populated, please work with your local SP and IdP admins and/or use the shibboleth-users list.

...

Step 1 - Security Context

  • In uportal-impl/src/main/resources/properties/security.properties configure support for getting the username from the REMOTE_USER header.
    Code Block
    root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory

To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN,

...

comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like:

Code Block

## This is the factory that supplies the concrete authentication class
#root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
#root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory

...

Step 2 - Person Manager
  • In uportal-impl/src/main/resources/properties/contexts/userContext.xml replace SimplePersonManager bean 
     Code Block
        <bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />

     and add with the RemoteUserPersonManager bean. Note that the bean id stays the same. 
     Code Block
        <bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />

TODO
  • James said to modify CLogin/html.xsl (apache-tomcat-6.0.18/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl). You'll want to make sure that the login link is similar to href="Login" (which for example goes to /uPortal/Login). Unless you know of a way to Logout of Shibboleth and uPortal, you might want to have the Logout link direct to a page you create that tells the user to close the browser completely to Logout, but that solution might not be acceptable for all institutions. Here is an example of the section in html.xsl that should change: 
     Code Block
                <!-- This is a modification of the uP 3.1.1 CLogin/html.xml code. I left a lot of the CAS stuff, which is not necessary, as Shib is used for authN. -->
            <xsl:when test="$casLoginUrl!= ''">
              <div id="portalCASLogin" class="fl-widget-content">
                <a id="portalCASLoginLink" href="Login" title="Sign In">
                  <span>Sign In <span class="via-cas">with Shibboleth</span></span>
                </a>
                <p>New user? <a id="portalCASLoginNewLink" href="...link to URL with information on how to get a user id that works with Shib..." title="New User">Start here</a>.</p>
              </div>
            </xsl:when>

  • Install/setup Shibboleth if you haven't already.
  • Configure Shibboleth or mod_shib to protect /uPortal/Login, and restart it (and apache if using mod_shib and its config changed).
  • Be sure that REMOTE_USER is being populated with the desired username. To verify REMOTE_USER is getting passed from Shibboleth, you can look at the HTTP headers coming from the Shibboleth SP. For example you may choose to have Shibboleth guard this small PhP script (thanks to David Eisinger) that can show HTTP headers. If you aren't getting REMOTE_USER, talk to your SP/IdP admin or mail the shibboleth-users list to get assistance: 
     Code Block
    <pre><? print_r(apache_request_headers()); ?></pre>

  • Restart uPortal.
  • If you login with a user that is not already in the database, you may see the "Welcome Unrecognized person: (some id)" at the top of the page.
...