Overview
Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation.
- Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
- Install and configure uPortal - get it running on its own without Shib.
- Install and configure Apache httpd server. Configure httpd with Shib and validate that Shib can protect resource AND pass attributes. Also configure httpd to work with tomcat (mod_jk).
- Configure httpd server to protect uri '/uPortal/Login'
- Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication
For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.
Shibbolizing uPortal 3.1.1
Step 1 - Security Context
- In
uportal-impl/src/main/resources/properties/security.propertiesconfigure support for getting the username from theREMOTE_USERheader.root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN, comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like:
## This is the factory that supplies the concrete authentication class #root=org.jasig.portal.security.provider.UnionSecurityContextFactory #root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory #root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
Step 2 - Person Manager
- In
uportal-impl/src/main/resources/properties/contexts/userContext.xmlreplace SimplePersonManager beanwith the RemoteUserPersonManager bean. Note that the bean id stays the same.<bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" /><bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />
TODO
- James said to modify CLogin/html.xsl (apache-tomcat-6.0.18/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl). You'll want to make sure that the login link is similar to href="Login" (which for example goes to /uPortal/Login). Unless you know of a way to Logout of Shibboleth and uPortal, you might want to have the Logout link direct to a page you create that tells the user to close the browser completely to Logout, but that solution might not be acceptable for all institutions. Here is an example of the section in html.xsl that should change:
<!-- This is a modification of the uP 3.1.1 CLogin/html.xml code. I left a lot of the CAS stuff, which is not necessary, as Shib is used for authN. --> <xsl:when test="$casLoginUrl!= ''"> <div id="portalCASLogin" class="fl-widget-content"> <a id="portalCASLoginLink" href="Login" title="Sign In"> <span>Sign In <span class="via-cas">with Shibboleth</span></span> </a> <p>New user? <a id="portalCASLoginNewLink" href="...link to URL with information on how to get a user id that works with Shib..." title="New User">Start here</a>.</p> </div> </xsl:when> - Install/setup Shibboleth if you haven't already.
- Configure Shibboleth or mod_shib to protect /uPortal/Login, and restart it (and apache if using mod_shib and its config changed).
- Be sure that REMOTE_USER is being populated with the desired username. To verify REMOTE_USER is getting passed from Shibboleth, you can look at the HTTP headers coming from the Shibboleth SP. For example you may choose to have Shibboleth guard this small PhP script (thanks to David Eisinger) that can show HTTP headers. If you aren't getting REMOTE_USER, talk to your SP/IdP admin or mail the shibboleth-users list to get assistance:
<pre><? print_r(apache_request_headers()); ?></pre>
- Restart uPortal.
- If you login with a user that is not already in the database, you may see the "Welcome Unrecognized person: (some id)" at the top of the page.