Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation.

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. Install and configure uPortal - get it running on its own without Shib.
  3. Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).
  4. Configure httpd server to protect uri '/uPortal/Login' 
  5. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

Shibbolizing uPortal 3.1.1

For some reason, everytime I (Gary) hit https:/.../uPortal now in a fresh new browser, it logs in via Shib, even though only /uPortal/Login is Shib'd. I think it should only be hitting /uPortal/Login when the user clicks on the link.

For support with Shibboleth setup and getting REMOTE_USER header populated, please work with your local SP and IdP admins and/or use the shibboleth-users list.

  • If using Tomcat, be sure to set the attribute tomcatAuthentication="false" in the AJP connector in tomcat's server.xml. Otherwise, REMOTE_USER may not be passed in.
  • In security.properties, James said to add: 
    root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
    To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN, you can comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like: 
    ## This is the factory that supplies the concrete authentication class
#root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
#root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
  • in userContext.xml, James said to remove: 
        <bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />
    and add 
       <bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />
  • James said to modify CLogin/html.xsl (apache-tomcat-6.0.18/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl). You'll want to make sure that the login link is similar to href="Login" (which for example goes to /uPortal/Login). Unless you know of a way to Logout of Shibboleth and uPortal, you might want to have the Logout link direct to a page you create that tells the user to close the browser completely to Logout, but that solution might not be acceptable for all institutions. Here is an example of the section in html.xsl that should change: 
                <!-- This is a modification of the uP 3.1.1 CLogin/html.xml code. I left a lot of the CAS stuff, which is not necessary, as Shib is used for authN. -->
            <xsl:when test="$casLoginUrl!= ''">
              <div id="portalCASLogin" class="fl-widget-content">
                <a id="portalCASLoginLink" href="Login" title="Sign In">
                  <span>Sign In <span class="via-cas">with Shibboleth</span></span>
                </a>
                <p>New user? <a id="portalCASLoginNewLink" href="...link to URL with information on how to get a user id that works with Shib..." title="New User">Start here</a>.</p>
              </div>
            </xsl:when>
  • Install/setup Shibboleth if you haven't already.
  • Configure Shibboleth or mod_shib to protect /uPortal/Login, and restart it (and apache if using mod_shib and its config changed).
  • Be sure that REMOTE_USER is being populated with the desired username. To verify REMOTE_USER is getting passed from Shibboleth, you can look at the HTTP headers coming from the Shibboleth SP. For example you may choose to have Shibboleth guard this small PhP script (thanks to David Eisinger) that can show HTTP headers. If you aren't getting REMOTE_USER, talk to your SP/IdP admin or mail the shibboleth-users list to get assistance: 
    <pre><? print_r(apache_request_headers()); ?></pre>
  • Restart uPortal.
  • If you login with a user that is not already in the database, you may see the "Welcome Unrecognized person: (some id)" at the top of the page.

References

  • No labels