Shibboleth Overview
...
- Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
- Install and configure uPortal - get it running on its own without Shib.
- Install and configure Apache httpd server. Configure httpd with Shib and validate that Shib can protect resource AND pass attributes. Also configure httpd to work with tomcat (mod_jk).
- Configure httpd server to protect uri '/uPortal/Login' to get the IDP's Login page
- Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication
For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<filter> <filter-name>requestAttributeSourceFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>requestAttributeSourceFilter</filter-name> <url-pattern>/Login</url-pattern> </filter-mapping> |
Step 4 - Login Link
No Guest Access
Configure the httpd server to protect uri '/uPortal/Login'
Guest and Authenticated Access
This step is only needed if you're using the uPortal rendered login link.
Modify files in uportal-war/src/main/resourceswebapp/layoutWEB-INF/themejsp/universalityInvoker/ components.xsl to change the Login and Logout UIs to something appropriate to your institution.
Optional, to delete CAS login, remove:
Code Block | ||
---|---|---|
| ||
<div id="portalCASLogin" class="fl-widget-content">
<a id="portalCASLoginLink" class="button" href="{$EXTERNAL_LOGIN_URL}" title=
"{upMsg:getMessage('sign.in.via.cas', $USER_LANG)}">
<span><xsl:value-of select="upMsg:getMessage('sign.in', $USER_LANG)"/><!-- <span class="via-cas"><xsl:value-of select="upMsg:getMessage('with.cas',$USER_LANG)"/></span>--></span>
</a>
<p>
<xsl:value-of select="upMsg:getMessage('new.user.question', $USER_LANG)"/> 
<a id="portalCASLoginNewLink" href="{$CAS_NEW_USER_URL}" title="{upMsg:getMessage('create.new.portal.account', $USER_LANG)}">
<xsl:value-of select="upMsg:getMessage('new.user', $USER_LANG)"/>
</a>.
</p>
</div> |
Shibboleth only configuration
With Shibboleth configured as the only authentication system, you only need the user to click on '/uPortal/Login' through any method you prefer, e.g. url link, button, image, etcGuest users go through /uPortal/Login also. If you have a guest access, you need to configure the 'Sign in' link in uPortal to go to the Shib login page and return to /uPortal. You can do this by changing the org.jasig.portal.channels.CLogin.CasLoginUrl property (which the Sign-in link uses by default) to something like the following and configure Apache to protect the URL /Shibboleth.sso/Login:
Code Block |
---|
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login |
To use a different property name; e.g. to not suggest that CAS is being used, change the property name from org.jasig.portal.channels.CLogin.CasLoginUrl to something else and modify files accordingly; e.g.:
Code Block | ||||
---|---|---|---|---|
| ||||
org.jasig.portal.idp-login.IdpLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login |
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="idpLoginUrl" class="java.lang.String">
<constructor-arg value="${org.jasig.portal.idp-login.IdpLoginUrl}"/>
</bean> |
Code Block | ||||
---|---|---|---|---|
| ||||
<a id="portalLoginLink" class="btn" title="<spring:message code="sign.in"/>" href="${idpLoginUrl}"><spring:message code="sign.in"/></a> |
Optional: to delete the 'New User' link, remove the link from the login.jsp page.
Multiple Authentication Systems configuration
With multiple authentication systems, you will need to design a login template that will allow users to select a specific authentication system to login. To initiate a Shibboleth session, you will need to construct a Shibboleth WAYF login url, for example the format for our school's WAYF is - https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin
...