Shibboleth Overview
Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation. Step 5 is the only uPortal specific part and described below.
- Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
- Install and configure uPortal - get it running on its own without Shib.
- Install and configure Apache httpd server. Configure httpd with Shib and validate that Shib can protect resource AND pass attributes. Also configure httpd to work with tomcat (mod_jk). Configure the Shib SP to pass attributes in HTTP Headers.
- Configure httpd server to protect uri '/uPortal/Login' to get the IDP's Login page
- Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication
For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.
Shibbolizing uPortal
Step 1 - Security Context
...
Code Block | ||||
---|---|---|---|---|
| ||||
<filter> <filter-name>requestAttributeSourceFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>requestAttributeSourceFilter</filter-name> <url-pattern>/Login</url-pattern> </filter-mapping> |
Step 4 - Login Link
No Guest Access
Configure the httpd server to protect uri '/uPortal/Login'
Guest and Authenticated Access
This step is only needed if you're using the uPortal rendered login link.
Modify files in uportal-war/src/main/resourceswebapp/layoutWEB-INF/themejsp/universalityInvoker/ components.xsl to change the Login and Logout UIs to something appropriate to your institution.
Optional, to delete CAS login, remove:
Code Block | ||
---|---|---|
| ||
<div id="portalCASLogin" class="fl-widget-content">
<a id="portalCASLoginLink" class="button" href="{$EXTERNAL_LOGIN_URL}" title=
"{upMsg:getMessage('sign.in.via.cas', $USER_LANG)}">
<span><xsl:value-of select="upMsg:getMessage('sign.in', $USER_LANG)"/><!-- <span class="via-cas"><xsl:value-of select="upMsg:getMessage('with.cas',$USER_LANG)"/></span>--></span>
</a>
<p>
<xsl:value-of select="upMsg:getMessage('new.user.question', $USER_LANG)"/> 
<a id="portalCASLoginNewLink" href="{$CAS_NEW_USER_URL}" title="{upMsg:getMessage('create.new.portal.account', $USER_LANG)}">
<xsl:value-of select="upMsg:getMessage('new.user', $USER_LANG)"/>
</a>.
</p>
</div> |
Shibboleth only configuration
With Shibboleth configured as the only authentication system, you only need the user to click on '/uPortal/Login' through any method you prefer, e.g. url link, button, image, etc.Guest users go through /uPortal/Login also. If you have a guest access, you need to configure the 'Sign in' link in uPortal to go to the Shib login page and return to /uPortal. You can do this by changing the org.jasig.portal.channels.CLogin.CasLoginUrl property (which the Sign-in link uses by default) to something like the following and configure Apache to protect the URL /Shibboleth.sso/Login:
Code Block |
---|
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login |
To use a different property name; e.g. to not suggest that CAS is being used, change the property name from org.jasig.portal.channels.CLogin.CasLoginUrl to something else and modify files accordingly; e.g.:
Code Block | ||||
---|---|---|---|---|
| ||||
org.jasig.portal.idp-login.IdpLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login |
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="idpLoginUrl" class="java.lang.String">
<constructor-arg value="${org.jasig.portal.idp-login.IdpLoginUrl}"/>
</bean> |
Code Block | ||||
---|---|---|---|---|
| ||||
<a id="portalLoginLink" class="btn" title="<spring:message code="sign.in"/>" href="${idpLoginUrl}"><spring:message code="sign.in"/></a> |
Optional: to delete the 'New User' link, remove the link from the login.jsp page.
Multiple Authentication Systems configuration
With multiple authentication systems, you will need to design a login template that will allow users to select a specific authentication system to login. To initiate a Shibboleth session, you will need to construct a Shibboleth WAYF login url, for example the format for our school's WAYF is - https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin
...
Info | ||
---|---|---|
| ||
Additional References |
Warning | ||||
---|---|---|---|---|
| ||||
Please send us feedback at uportal-user@lists.ja-siguser@apereo.org |