Versions Compared

Old Version 2

changes.mady.by.user GaryG

Saved on

compared with

New Version Current

changes.mady.by.user Eric Dalquist

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

USC was the first university to integrate Shibboleth with uPortal (2005). Kent university also integrated with Shibboleth about a year ago (2007). Kent used work done from SPIE. Unfortunately SPIE's development site is no longer available.

At USC, Shibboleth and uPortal integration involved developing a custom authentication module, an off-shoot of uPortal's remote user authentication module.  However using uPortal's remote user security context provider is sufficient by itself.

There is another potential use of Shibboleth for attribute release. Shibboleth could provide user attributes for portal attributes (ie uid, mail, display name) and portal groups. James Hong at USC once had this working with a further customized authentication module and used uPortals PAGS (person attribute group store).

In short, Shibboleth integration into uPortal is trivial. The most difficult part is configuring your Shibboleth (IdP/SP) system.

Here are the steps (skipping a lot of detail):

...

Overview

Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation. Step 5 is the only uPortal specific part and described below.

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. install Install and configure uPortal - get it running on its own without Shib.
  3. install Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).
  4. configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication
  5. configure Configure httpd server to protect uri '/uPortal/Login' 

For questions you can contact me at jkhong@usc.edu

Shibbolizing uPortal 3.1.1

Note

For some reason, everytime I (Gary) hit https:/.../uPortal now in a fresh new browser, it logs in via Shib, even though only /uPortal/Login is Shib'd. I think it should only be hitting /uPortal/Login when the user clicks on the link.

...

  1. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.

...

Shibbolizing uPortal

Step 1 - Security Context

Configure uPortal to get the username from the REMOTE_USER header.

In uportal-impl/src/main/resources/properties/security.properties add the property:

Code Block

root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory

To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN,

...

comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like:

Code Block

## This is the factory that supplies the concrete authentication class
#root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
#root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory

...

Step 2 - Person Manager
Configure uPortal to create user's on demand based on the REMOTE_USER header.
In uportal-impl/src/main/resources/properties/contexts/userContext.xml replace SimplePersonManager bean
 Code Block
xml
xml

<bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />

...
with the RemoteUserPersonManager bean. Note that the bean id stays the same.
 Code Block
...
xml
xml

<bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />

...
Step 3 - Person Attributes
Configure uPortal to populate user's attributes based on headers from Shibboleth.
In pom.xml update the line:
 Code Block
xml
xml

<person-directory.version>1.5.0-RC3</person-directory.version>

To
 Code Block
xml
xml

<person-directory.version>1.5.0-RC8</person-directory.version>

In uportal-impl/src/main/resources/properties/contexts/personDirectoryContext.xml add the following beans
 Code Block
xml
xml

<!-- 
 | Servlet filter that creates an attribute for the serverName
 +-->
<bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
    <property name="additionalDescriptors" ref="requestAdditionalDescriptors" />
    <property name="usernameAttribute" value="remoteUser" />
    <property name="remoteUserAttribute" value="remoteUser" />
    <property name="serverNameAttribute" value="serverName" />
    <property name="processingPosition" value="BOTH" />
    <property name="headerAttributeMapping">
        <map>
            <!-- MODIFY THESE MAPPINGS TO EXPOSE HEADERS FROM SHIB AS USER ATTRIBUTES -->
            
...
<entry 
...
key="
...
cn">
                <list>
                    <value>cn</value>
                    <value>displayName</value>
                </list>
            </entry>
            
...
<entry 
...
key="
...
givenName" 
...
value=
...
"givenName" />
        </map>
    </property>
</bean>

<!-- 
 | Session-scoped descriptors object. One of these will exist for each user in their session. It will store the
 | attributes from the reques set by the requestAttributeSourceFilter
 +-->
<bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors">
    <property name="delegateDescriptors">
        <list>
         
...
  
...
 
...
<bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="
...
globalSession"
...
>

...
                <aop:scoped-proxy 
...
/>
            </bean>
          
...
 
...
 
...
<bean 
...
class="
...
org.jasig.services.persondir.support.AdditionalDescriptors" 
...
scope=
...
"request">
                <aop:scoped-proxy />
            
...
</
...
bean>
        </list>
    </
...
 Code Block

<pre><? print_r(apache_request_headers()); ?></pre>

...
property>
</bean>

In uportal-war/src/main/webapp/WEB-INF/web.xml add the following servlet filter
 Code Block
xml
xml

<filter>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <url-pattern>/Login</url-pattern>
</filter-mapping>

This step is only needed if you're using the uPortal rendered login link.
Modify uportal-war/src/main/resources/org/jasig/portal/channels/CLogin/html.xsl to change the Login and Logout UIs to something appropriate to your institution.
References