Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

USC was the first university to integrate Shibboleth with uPortal (2005). Kent university also integrated with Shibboleth about a year ago (2007). Kent used work done from SPIE. Unfortunately SPIE's development site is no longer available.

At USC, Shibboleth and uPortal integration involved developing a custom authentication module, an off-shoot of uPortal's remote user authentication module.  However using uPortal's remote user security context provider is sufficient by itself.

There is another potential use of Shibboleth for attribute release. Shibboleth could provide user attributes for portal attributes (ie uid, mail, display name) and portal groups. James Hong at USC once had this working with a further customized authentication module and used uPortals PAGS (person attribute group store).

In short, Shibboleth integration into uPortal is trivial. The most difficult part is configuring your Shibboleth (IdP/SP) system.

Here are the steps (skipping a lot of detail):

  1. install and configure Shibboleth SP - configure SP to pass uid via REMOTE_USER to get it working faster.
  2. install and configure uPortal - get it running on its own without Shib.
  3. install and configure Apache httpd server.  Configure httpd with Shib and validate that Shib can protect resource AND pass attributes.  Also configure httpd to work with tomcat (mod_jk).
  4. configure uPortal authentication - use the RemoteUserSecurityContext for (Shib) authentication
  5. configure httpd server to protect uri '/uPortal/Login' 

For questions you can contact me at jkhong@usc.edu

Shibbolizing uPortal 3.1.1

For some reason, everytime I (Gary) hit https:/.../uPortal now in a fresh new browser, it logs in via Shib, even though only /uPortal/Login is Shib'd. I think it should only be hitting /uPortal/Login when the user clicks on the link.

For support with Shibboleth setup and getting REMOTE_USER header populated, please work with your local SP and IdP admins and/or use the shibboleth-users list.

  • If using Tomcat, be sure to set the attribute tomcatAuthentication="false" in the AJP connector in tomcat's server.xml. Otherwise, REMOTE_USER may not be passed in.
  • In security.properties, James said to add: 
    root.remote=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
    To ensure the Shibbolized uPortal instance has no chance of using anything but Shibboleth for authN, you can comment out root and other existing root.* and use RemoteUserSecurityContextFactory as root like: 
    ## This is the factory that supplies the concrete authentication class
#root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
#root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
  • in userContext.xml, James said to remove: 
        <bean id="personManager" class="org.jasig.portal.security.provider.SimplePersonManager" />
    and add 
       <bean id="personManager" class="org.jasig.portal.security.provider.RemoteUserPersonManager" />
  • James said to modify CLogin/html.xsl (apache-tomcat-6.0.18/webapps/uPortal/WEB-INF/classes/org/jasig/portal/channels/CLogin/html.xsl). You'll want to make sure that the login link is similar to href="Login" (which for example goes to /uPortal/Login). Unless you know of a way to Logout of Shibboleth and uPortal, you might want to have the Logout link direct to a page you create that tells the user to close the browser completely to Logout, but that solution might not be acceptable for all institutions. Here is an example of the section in html.xsl that should change: 
                <!-- This is a modification of the uP 3.1.1 CLogin/html.xml code. I left a lot of the CAS stuff, which is not necessary, as Shib is used for authN. -->
            <xsl:when test="$casLoginUrl!= ''">
              <div id="portalCASLogin" class="fl-widget-content">
                <a id="portalCASLoginLink" href="Login" title="Sign In">
                  <span>Sign In <span class="via-cas">with Shibboleth</span></span>
                </a>
                <p>New user? <a id="portalCASLoginNewLink" href="...link to URL with information on how to get a user id that works with Shib..." title="New User">Start here</a>.</p>
              </div>
            </xsl:when>
  • Install/setup Shibboleth if you haven't already.
  • Configure Shibboleth or mod_shib to protect /uPortal/Login, and restart it (and apache if using mod_shib and its config changed).
  • Be sure that REMOTE_USER is being populated with the desired username. To verify REMOTE_USER is getting passed from Shibboleth, you can look at the HTTP headers coming from the Shibboleth SP. For example you may choose to have Shibboleth guard this small PhP script (thanks to David Eisinger) that can show HTTP headers. If you aren't getting REMOTE_USER, talk to your SP/IdP admin or mail the shibboleth-users list to get assistance: 
    <pre><? print_r(apache_request_headers()); ?></pre>
  • Restart uPortal.
  • If you login with a user that is not already in the database, you may see the "Welcome Unrecognized person: (some id)" at the top of the page.

References

  • No labels