Versions Compared

Old Version 3

changes.mady.by.user Eric Dalquist

Saved on

compared with

New Version Current

changes.mady.by.user Eric Dalquist

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Overview

Integration with the new Delegated SAML Authentication library required Support for delegated authentication with Shibboleth comes with the Web Proxy Portlet to be updated to httpclient 4.0-beta2. This integration involved significant refactoring of the Web Proxy Portlet's proxying implementation, as well as an update to its state persistence API. All work performed as part of the httpclient upgrade has been contributed to the trunk of the public project (currently available in the Jasig repository at https://www.ja-sig.org/svn/portlets/WebproxyPortlet/trunk).

In order to perform the Shibboleth integration itself, a new subclass of HttpManagerImpl has been created for the University of Chicago. This implementation is capable of constructing a new SAMLSession for the current portlet request and returning an HttpClient instance created by this SAMLSession for any portlet requiring SAML authentication.

While we anticipate eventually open-sourcing the new Shibboleth-enabling HttpManager implementation, this work will not be publicly available until the Delegated SAML library dependency is publicly available.

Modifying and Configuring the Web Proxy Portlet

The Delegated SAML Authentication library must be added as a dependency. To add this dependency, the following should be added as a dependency in the portlet's pom.xml file:from version 1.1.1 on.

Steps for updating the Web Proxy Portlet included with the uPortal EAR package

Step 1 - Updating the Web Proxy Portlet Version

In pom.xml file and update the WebProxyPortlet.version line to specify 1.1.1

Code Block
xml
xml
<dependency>
  <groupId>org.jasig.service</groupId>
  <artifactId>delegated-saml-authentication</artifactId>
  <version>1.0</version>
  <type>jar</type>
  <scope>compile</scope>
  <exclusions>
    <exclusion>
      <artifactId>xml-apis</artifactId>
      <groupId>xml-apis</groupId>
    </exclusion>
  </exclusions>
</dependency>

The exclusion is meant to avoid getting two different versions of the excluded artifact.

And modify the following dependency to add the exclusions section as follows:

<WebProxyPortlet.version>1.1.1</WebProxyPortlet.version>

Step 2 - Enabling the Shibboleth Http Manager

Add the file uportal-portlets-overlay/WebProxyPortlet/src/main/webapp/WEB-INF/applicationContextOverrides.xml with contents:
You'll need to set the spPrivateKey, spCertificate, and portalEntityID properties appropriately for your institution.

Code Block
xml
xml

<dependency>
  <groupId>nekohtml</groupId>
  <artifactId>nekohtml</artifactId>
  <version>0.9.5</version>
  <type>jar</type>
  <scope>compile</scope>
  <exclusions>
    <exclusion>
      <groupId>xerces</groupId>
      <artifactId>xercesImpl</artifactId>
    </exclusion>
  </exclusions>
</dependency>

As with the previous exclusion, this is meant to avoid getting duplicate versions of the same library.

Optionally, you may add the following plugin to allow building of the portlet war file that can be simply dropped into Tomcat's webapps directory instead of using "ant deployPortletApp" method. To add the pluto plugin, couple of additions need to be made to pom.xml as follows:

...


<properties>
  <pluto.version>1.1.7</pluto.version> <!-- Add this just before the dependencies section -->
</properties>

<!-- Add the following two plugins to the end of the plugins section -->
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-war-plugin</artifactId>
  <configuration>
    <webXml>${project.build.directory}/pluto-resources/web.xml</webXml>
  </configuration>
</plugin>

<plugin>
  <groupId>org.apache.pluto</groupId>
  <artifactId>maven-pluto-plugin</artifactId>
  <version>${pluto.version}</version>
  <executions>
    <execution>
      <phase>generate-resources</phase>
      <goals>
        <goal>assemble</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Next, the existing HttpManager bean in the Spring configuration should be updated to use this new implementation with the appropriate Shibboleth-related parameters.

Code Block
xmlxml

<?xml version="1.0" encoding="UTF-8"?>
<!--
 | Override specific bean(s) from applicationContext.xml
 +-->
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd
    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
    
    <bean id="HttpManagerBean" class="edu.wisc.my.webproxy.beans.http.ShibbolethEnabledHttpManagerImpl" scope="prototype">
      <property name="spPrivateKey" value="/opt/shibboleth-sp/etc/shibboleth/sp-key.pem"/>  <!-- This
property and the one below are optional to provide client-side TLS authentication to the IdP -->
  <property name="spCertificate" value="/opt/shibboleth-sp/etc/shibboleth/sp-cert.pem"/>
      <property name="portalEntityID" value="https://canadaspismy.uchicagoexample.educom/shibboleth"/>
 <!-- This property is required --> </bean>
</bean>beans>

...

Step 3 - Enable the SAML User Attributes

Copy the portlet.xml file from the release to uportal-portlets-overlay/WebProxyPortlet/src/main/webapp/WEB-INF/portlet.xml and add the following user attributes:

Code Block
xml
xml
    <user-attribute>
 
      <description>idpPublicKeys</description>
  
     <name>idpPublicKeys</name>
   
</user-attribute>

    <user-attribute>
        <description>samlAssertion</description>
 
      <name>samlAssertion</name>
    </user-attribute>

Optional - Modifying uPortal's Web Proxy Portlet CPD

To list Shibboleth as an authentication option in uPortal's administrative interface, add "SHIBBOLETH" as an option for the "PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType" parameter in uPortal's Web Proxy Portlet CPD. This file is located within uPortal at

In uportal-war/src/main/resources/edu/wisc/my/portlets/WebProxy/WebProxyPortlet.cpd. add <value>SHIBBOLETH</value>

Code Block
xml
xml

    
 <parameter modify="publish">
   
    <name>PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType</name>
   
    <label>Type of authentication (optional)</label>

       <type base="string" input="single-choice" display="drop-down">
     
    <restriction type="enumeration">

           <value></value>
            <value>SHIBBOLETH</value>
  
         <value>FORM</value>
   
        <value>BASIC</value>
   
        <value>NTLM</value>

         </restriction>
   
    </type>

       <defaultValue></defaultValue>
        <description>Select the type of authentication the web-based application requires.</description>
     
</parameter>