Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Overview

Integration with the new Delegated SAML Authentication library required the Web Proxy Portlet to be updated to httpclient 4.0-beta2. This integration involved significant refactoring of the Web Proxy Portlet's proxying implementation, as well as an update to its state persistence API. All work performed as part of the httpclient upgrade has been contributed to the trunk of the public project (currently available in the Jasig repository at https://www.ja-sig.org/svn/portlets/WebproxyPortlet/trunk).

In order to perform the Shibboleth integration itself, a new subclass of HttpManagerImpl has been created for the University of Chicago. This implementation is capable of constructing a new SAMLSession for the current portlet request and returning an HttpClient instance created by this SAMLSession for any portlet requiring SAML authentication.

While we anticipate eventually open-sourcing the new Shibboleth-enabling HttpManager implementation, this work will not be publicly available until the Delegated SAML library dependency is publicly available.

Modifying and Configuring the Web Proxy Portlet

The Delegated SAML Authentication library must be added as a dependency. To add this dependency, the following should be added as a dependency in the portlet's pom.xml file:

<dependency>
  <groupId>org.jasig.service</groupId>
  <artifactId>delegated-saml-authentication</artifactId>
  <version>1.0</version>
  <type>jar</type>
  <scope>compile</scope>
  <exclusions>
    <exclusion>
      <artifactId>xml-apis</artifactId>
      <groupId>xml-apis</groupId>
    </exclusion>
  </exclusions>
</dependency>

The exclusion is meant to avoid getting two different versions of the excluded artifact.

And modify the following dependency to add the exclusions section as follows:

<dependency>
  <groupId>nekohtml</groupId>
  <artifactId>nekohtml</artifactId>
  <version>0.9.5</version>
  <type>jar</type>
  <scope>compile</scope>
  <exclusions>
    <exclusion>
      <groupId>xerces</groupId>
      <artifactId>xercesImpl</artifactId>
    </exclusion>
  </exclusions>
</dependency>

As with the previous exclusion, this is meant to avoid getting duplicate versions of the same library.

Optionally, you may add the following plugin to allow building of the portlet war file that can be simply dropped into Tomcat's webapps directory instead of using "ant deployPortletApp" method. To add the pluto plugin, couple of additions need to be made to pom.xml as follows:

<properties>
  <pluto.version>1.1.7</pluto.version> <!-- Add this just before the dependencies section -->
</properties>

<!-- Add the following two plugins to the end of the plugins section -->
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-war-plugin</artifactId>
  <configuration>
    <webXml>${project.build.directory}/pluto-resources/web.xml</webXml>
  </configuration>
</plugin>

<plugin>
  <groupId>org.apache.pluto</groupId>
  <artifactId>maven-pluto-plugin</artifactId>
  <version>${pluto.version}</version>
  <executions>
    <execution>
      <phase>generate-resources</phase>
      <goals>
        <goal>assemble</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Next, the existing HttpManager bean in the Spring configuration should be updated to use this new implementation with the appropriate Shibboleth-related parameters.

<bean id="HttpManagerBean" class="edu.wisc.my.webproxy.beans.http.ShibbolethEnabledHttpManagerImpl" scope="prototype">
  <property name="spPrivateKey" value="/etc/shibboleth/sp-key.pem"/>  <!-- This property and the one below are optional to provide client-side TLS authentication to the IdP -->
  <property name="spCertificate" value="/etc/shibboleth/sp-cert.pem"/>
  <property name="portalEntityID" value="https://canadaspis.uchicago.edu/shibboleth"/>  <!-- This property is required -->
</bean>

In order for the portlet to properly obtain UserInfo data from the portal, the following items must also be added to the Web Proxy Portlet's portlet.xml file:

    <user-attribute>
        <description>idpPublicKeys</description>
        <name>idpPublicKeys</name>
    </user-attribute>

    <user-attribute>
        <description>samlAssertion</description>
        <name>samlAssertion</name>
    </user-attribute>

Modifying uPortal's Web Proxy Portlet CPD

To list Shibboleth as an authentication option in uPortal's administrative interface, add "SHIBBOLETH" as an option for the "PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType" parameter in uPortal's Web Proxy Portlet CPD. This file is located within uPortal at uportal-war/src/main/resources/edu/wisc/my/portlets/WebProxy/WebProxyPortlet.cpd.

      <parameter modify="publish">
        <name>PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType</name>
        <label>Type of authentication (optional)</label>
        <type base="string" input="single-choice" display="drop-down">
          <restriction type="enumeration">
            <value></value>
            <value>SHIBBOLETH</value>
            <value>FORM</value>
            <value>BASIC</value>
            <value>NTLM</value>
          </restriction>
        </type>
        <defaultValue></defaultValue>
        <description>Select the type of authentication the web-based application requires.</description>
      </parameter>
  • No labels