Versions Compared

Old Version 1

changes.mady.by.user Laura McCord

Saved on

compared with

New Version 2

changes.mady.by.user James Wennmacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Overview

...

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. Install and configure uPortal - get it running on its own without Shib.
  3. Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).
  4. Configure httpd server to protect uri '/uPortal/Login' to get the IDP's Login page
  5. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.

...

Code Block
xml
xml
<filter>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <url-pattern>/Login</url-pattern>
</filter-mapping>

No Guest Access

Configure the httpd server to protect uri '/uPortal/Login'

Guest and Authenticated Access

This step is only needed if you're using the uPortal rendered login link.

Modify files in uportal-war/src/main/resourceswebapp/layoutWEB-INF/themejsp/universalityInvoker/ components.xsl to change the Login and Logout UIs to something appropriate to your institution.

Optional, to delete CAS login, remove:

Code Block
languagehtml/xml
<div id="portalCASLogin" class="fl-widget-content">

<a id="portalCASLoginLink" class="button" href="{$EXTERNAL_LOGIN_URL}" title=
"{upMsg:getMessage('sign.in.via.cas', $USER_LANG)}">
<span><xsl:value-of select="upMsg:getMessage('sign.in', $USER_LANG)"/><!--&#160;<span class="via-cas"><xsl:value-of select="upMsg:getMessage('with.cas',$USER_LANG)"/></span>--></span>
</a>


<p>
<xsl:value-of select="upMsg:getMessage('new.user.question', $USER_LANG)"/>&#160;
<a id="portalCASLoginNewLink" href="{$CAS_NEW_USER_URL}" title="{upMsg:getMessage('create.new.portal.account', $USER_LANG)}">
<xsl:value-of select="upMsg:getMessage('new.user', $USER_LANG)"/>
</a>.
</p>


</div>

 

Shibboleth only configuration

With Shibboleth configured as the only authentication system, you only need the user to click on '/uPortal/Login' through any method you prefer, e.g. url link, button, image, etcGuest users go through /uPortal/Login also.  If you have a guest access, you need to configure the 'Sign in' link in uPortal to go to the Shib login page and return to /uPortal.  You can do this by changing the org.jasig.portal.channels.CLogin.CasLoginUrl property (which the Sign-in link uses by default) to something like the following and configure Apache to protect the URL /Shibboleth.sso/Login:

Code Block
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

To use a different property name; e.g. to not suggest that CAS is being used, change the property name from org.jasig.portal.channels.CLogin.CasLoginUrl to something else and modify files accordingly; e.g.:

Code Block
languagebash
titlesrc/main/resources/properties/security.properties
 org.jasig.portal.idp-login.IdpLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login
Code Block
languagexml
titlesrc/main/resources/properties/contexts/securityContext.xml
<bean id="idpLoginUrl" class="java.lang.String">
    <constructor-arg value="${org.jasig.portal.idp-login.IdpLoginUrl}"/>
</bean>
Code Block
languagexml
titlesrc/main/webapp/WEB-INF/jsp/Invoker/login.jsp
<a id="portalLoginLink" class="btn" title="<spring:message code="sign.in"/>" href="${idpLoginUrl}"><spring:message code="sign.in"/></a>

Optional: to delete the 'New User' link, remove the link from the login.jsp page.

Multiple Authentication Systems configuration

With multiple authentication systems, you will need to design a login template that will allow users to select a specific authentication system to login. To initiate a Shibboleth session, you will need to construct a Shibboleth WAYF login url, for example the format for our school's WAYF is - https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin

...