Shibboleth

Shibboleth Overview

Skipping a lot of detail here is an overview of the steps involved with using Shibboleth with uPortal. The uPortal configuration step is very small and generally trivial. In the list below steps 1 through 4 are covered by the Shibboleth Documentation. Step 5 is the only uPortal specific part and described below.

  1. Install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. Install and configure uPortal - get it running on its own without Shib.
  3. Install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).  Configure the Shib SP to pass attributes in HTTP Headers.
  4. Configure to get the IDP's Login page
  5. Configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication

For Shibboleth IdP or httpd server related questions please contact the shibboleth-users list.

Shibbolizing uPortal

Step 1 - Security Context

Configure uPortal to get the username from the REMOTE_USER header. Update the uportal-war/src/main/resources/properties/security.properties file:

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.clearpass.PasswordCachingCasAssertionSecurityContextFactory
root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory

Shibboleth only configuration

Optionally, to ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN, comment out the root.simple context as well.

UnionSecurityContextFactory

WARNING – do not remove the line root=org.jasig.portal.security.provider.UnionSecurityContextFactory. The RemoteUserPersonManager expects the RemoteUserSecurityContext to be a child of the root, not the root itself.

Multiple Authentication Systems

To enable multiple authentication systems use UnionSecurityContextFactory as root. With multiple authentication systems, uPortal will attempt to authenticate the user to all systems until one is successful.

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory

Step 2 - Person Manager

Configure uPortal to create user's on demand based on the REMOTE_USER header.

In uportal-war/src/main/resources/properties/contexts/userContext.xml replace SimplePersonManager bean

<bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />

with the RemoteUserPersonManager bean. Note that the bean id stays the same.

<bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />

Step 3 - Person Attributes

Configure uPortal to populate user's attributes based on headers from Shibboleth.

In pom.xml update the line:

<person-directory.version>1.5.0-RC6</person-directory.version>

To

<person-directory.version>1.5.0-RC8</person-directory.version>

In uportal-war/src/main/resources/properties/contexts/personDirectoryContext.xml add the following beans

<!--
 | Servlet filter that creates an attribute for the serverName
 +-->
<bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
    <property name="additionalDescriptors" ref="requestAdditionalDescriptors" />
    <property name="usernameAttribute" value="remoteUser" />
    <property name="remoteUserAttribute" value="remoteUser" />
    <property name="serverNameAttribute" value="serverName" />
    <property name="processingPosition" value="BOTH" />
    <property name="headerAttributeMapping">
        <map>
            <!-- MODIFY THESE MAPPINGS TO EXPOSE HEADERS FROM SHIB AS USER ATTRIBUTES -->
            <entry key="cn">
                <list>
                    <value>cn</value>
                    <value>displayName</value>
                </list>
            </entry>
            <entry key="givenName" value="givenName" />
        </map>
    </property>
</bean>

<!--
 | Session-scoped descriptors object. One of these will exist for each user in their session. It will store the
 | attributes from the reques set by the requestAttributeSourceFilter
 +-->
<bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors">
    <property name="delegateDescriptors">
        <list>
            <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession">
                <aop:scoped-proxy />
            </bean>
            <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request">
                <aop:scoped-proxy />
            </bean>
        </list>
    </property>
</bean>

In uportal-war/src/main/webapp/WEB-INF/web.xml add the following servlet filter

<filter>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>requestAttributeSourceFilter</filter-name>
    <url-pattern>/Login</url-pattern>
</filter-mapping>

No Guest Access

Configure the httpd server to protect uri '/uPortal/Login'

Guest and Authenticated Access

This step is only needed if you're using the uPortal rendered login link.

Modify files in uportal-war/src/main/webapp/WEB-INF/jsp/Invoker/ to change the Login and Logout UIs to something appropriate to your institution.

Guest users go through /uPortal/Login also.  If you have a guest access, you need to configure the 'Sign in' link in uPortal to go to the Shib login page and return to /uPortal.  You can do this by changing the org.jasig.portal.channels.CLogin.CasLoginUrl property (which the Sign-in link uses by default) to something like the following and configure Apache to protect the URL /Shibboleth.sso/Login:

org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

To use a different property name; e.g. to not suggest that CAS is being used, change the property name from org.jasig.portal.channels.CLogin.CasLoginUrl to something else and modify files accordingly; e.g.:

src/main/resources/properties/security.properties
 org.jasig.portal.idp-login.IdpLoginUrl=${environment.build.uportal.protocol}://${environment.build.uportal.server}/Shibboleth.sso/Login?target=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login
src/main/resources/properties/contexts/securityContext.xml
<bean id="idpLoginUrl" class="java.lang.String">
    <constructor-arg value="${org.jasig.portal.idp-login.IdpLoginUrl}"/>
</bean>
src/main/webapp/WEB-INF/jsp/Invoker/login.jsp
<a id="portalLoginLink" class="btn" title="<spring:message code="sign.in"/>" href="${idpLoginUrl}"><spring:message code="sign.in"/></a>

Optional: to delete the 'New User' link, remove the link from the login.jsp page.

Multiple Authentication Systems configuration

With multiple authentication systems, you will need to design a login template that will allow users to select a specific authentication system to login. To initiate a Shibboleth session, you will need to construct a Shibboleth WAYF login url, for example the format for our school's WAYF is - https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin

Another example repurposing the default CAS login and replacing it with a Shibboleth login.

<div id="portalCASLogin" class="fl-widget-content">

<a id="portalCASLoginLink" class="button" href="https://host.school.edu/Shibboleth.sso/WAYF/shibboleth.school.edu?target=http%3A%2F%2Fhost.school.edu%2FuPortal%2FLogin" title="Shibboleth Login">
<span>USC Login</span>
</a>

</div>

Having problems with these instructions?

Please send us feedback at uportal-user@apereo.org