Skip to content

Shibboleth setup on 2.10.x

Jump to bottom Edit New page
Emanuele Tajariol edited this page Jul 15, 2014 · 7 revisions

WORK IN PROGRESS

Use cases

Simple login

Guest user wants to authenticate.

  1. "shibboleth" login link points to the service shibboleth.login.

  2. browser request the shibboleth.login service

  3. apache mod_shib intercepts the call, redirects the browser to the central auth page, and then:

    3a. if user is not yet auth ask for credentials - if credentials ok, like 3b - if credentials not ok, return to home page

    3b. if user is auth, call shibboleth.login service on GN, passing the proper headers

Automatic login

User accesses a URL that needs authentication.

At the moment the user is brought to a page for user/pw authentication, with an optional button that redirects the user to the shibbolet login page. Anyway, if shibboleth is enabled, the redirection toward the shibboleth login page shoud be automatic. Furthermore, when authenticated, the user should be automatically be redirected to the requested protected URL.

Implementation

These are the involved files:

  • web/src/main/java/org/fao/geonet/services/login/ShibLogin.java
    Old login service, should be deprecated.
  • web/src/main/java/org/fao/geonet/kernel/security/shibboleth/ShibbolethPreAuthFilter.java
    A preauthorization filter that handles the shibboleth headers and GN login procedure.
  • web/src/main/webapp/WEB-INF/config-security-core.xml
    adsd
  • web/src/main/webapp/WEB-INF/config.xml
    asdasd

TODO

  • externalize shibboleth headers name
  • read shibboleth headers only when requesting the shibboleth login service
Add a custom footer
Add a custom sidebar
Clone this wiki locally