-
Notifications
You must be signed in to change notification settings - Fork 1
Setting up Shibboleth Authentication
Set up a test deployment first, then duplicate for a production deployment. The AAF provides both a test and production federation.
It is a requirement that we use HTTPS, underpinned by a proper Certificate Authority. We'll have to get one for austese.net from AusCert.
The AAF Wiki SP Install Guide are for installing on RedHat systems, notes here are about alterations required for Ubuntu.
- Ubuntu 12.10
- Shibboleth SP 2.4
Follow the AAF Guide to add a service record for AustESE, then proceed with a combination of the AAF instructions and Ubuntu specific instructions below.
sudo apt-get install libapache2-mod-shib2
cd /etc/shibboleth
sudo shib-keygen -h dev.austese.net
Add to /etc/apache2/apache2.conf:
ServerName dev.austese.net
UseCanonicalName On
AuthType Shibboleth
ShibRequireSession Off
ShibUseHeaders On
require shibboleth
Enable Apache Module
sudo a2enmod shib2
Add RequestMapper section to /etc/shibboleth/shibboleth2.xml
<RequestMapper type="Native">
<RequestMap>
<Host name="dev.austese.net">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
Configure /etc/shibboleth/attribute-map.xml
Add items for commonName and mail
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
Configure as follows:
- login url: http://dev.austese.net/Shibboleth.sso/Login
- server variable for username: HTTP_CN
- server variable for e-mail address: HTTP_MAIL
Add the following the the .htaccess file for drupal:
SetEnvIf Origin "^http(s)?://(.+\.)?(dev.austese.net)$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is