Versions Compared

Old Version 1

changes.mady.by.user Laura McCord

Saved on

compared with

New Version Current

changes.mady.by.user Christian Murphy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update outdated and broken links

Shibboleth Overview

Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation. Step 5 is the only uPortal specific part and described below.

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. Install and configure uPortal - get it running on its own without Shib.
  3. Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).  Configure the Shib SP to pass attributes in HTTP Headers.
  4. Configure httpd server to protect uri '/uPortal/Login' to get the IDP's Login page
  5. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.

Shibbolizing uPortal

Step 1 - Security Context

...

Code Block
xml
xml
<filter>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <url-pattern>/Login</url-pattern>
</filter-mapping>

No Guest Access

Configure the httpd server to protect uri '/uPortal/Login'

Guest and Authenticated Access

This step is only needed if you're using the uPortal rendered login link.

Modify files in uportal-war/src/main/resourceswebapp/layoutWEB-INF/themejsp/universalityInvoker/ components.xsl to change the Login and Logout UIs to something appropriate to your institution.

Optional, to delete CAS login, remove:

Code Block
languagehtml/xml
<div id="portalCASLogin" class="fl-widget-content">

<a id="portalCASLoginLink" class="button" href="{$EXTERNAL_LOGIN_URL}" title=
"{upMsg:getMessage('sign.in.via.cas', $USER_LANG)}">
<span><xsl:value-of select="upMsg:getMessage('sign.in', $USER_LANG)"/><!--&#160;<span class="via-cas"><xsl:value-of select="upMsg:getMessage('with.cas',$USER_LANG)"/></span>--></span>
</a>


<p>
<xsl:value-of select="upMsg:getMessage('new.user.question', $USER_LANG)"/>&#160;
<a id="portalCASLoginNewLink" href="{$CAS_NEW_USER_URL}" title="{upMsg:getMessage('create.new.portal.account', $USER_LANG)}">
<xsl:value-of select="upMsg:getMessage('new.user', $USER_LANG)"/>
</a>.
</p>


</div>

 

Shibboleth only configuration

With Shibboleth configured as the only authentication system, you only need the user to click on '/uPortal/Login' through any method you prefer, e.g. url link, button, image, etc.Guest users go through /uPortal/Login also.  If you have a guest access, you need to configure the 'Sign in' link in uPortal to go to the Shib login page and return to /uPortal.  You can do this by changing the org.jasig.portal.channels.CLogin.CasLoginUrl property (which the Sign-in link uses by default) to something like the following and configure Apache to protect the URL /Shibboleth.sso/Login:

Code Block
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

To use a different property name; e.g. to not suggest that CAS is being used, change the property name from org.jasig.portal.channels.CLogin.CasLoginUrl to something else and modify files accordingly; e.g.:

Code Block
languagebash
titlesrc/main/resources/properties/security.properties
 org.jasig.portal.idp-login.IdpLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login
Code Block
languagexml
titlesrc/main/resources/properties/contexts/securityContext.xml
<bean id="idpLoginUrl" class="java.lang.String">
    <constructor-arg value="${org.jasig.portal.idp-login.IdpLoginUrl}"/>
</bean>
Code Block
languagexml
titlesrc/main/webapp/WEB-INF/jsp/Invoker/login.jsp
<a id="portalLoginLink" class="btn" title="<spring:message code="sign.in"/>" href="${idpLoginUrl}"><spring:message code="sign.in"/></a>

Optional: to delete the 'New User' link, remove the link from the login.jsp page.

Multiple Authentication Systems configuration

With multiple authentication systems, you will need to design a login template that will allow users to select a specific authentication system to login. To initiate a Shibboleth session, you will need to construct a Shibboleth WAYF login url, for example the format for our school's WAYF is - https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin

...

Info
iconfalse

   Additional References

Warning
iconfalse
titleHaving problems with these instructions?

Please send us feedback at uportal-user@lists.ja-siguser@apereo.org