Difference between revisions of "External (Shibboleth) Authentication"
Jump to navigation
Jump to search
Line 60: | Line 60: | ||
</pre> |
</pre> |
||
− | <li>global.conf: webwork main configuration file |
+ | <li>global.conf: webwork main configuration file (or localOverride.conf for newer version of WeBWorK):</li> |
+ | Change/Add the following to enable shibboleth authentication: |
||
+ | <pre> |
||
+ | $authen{user_module} = { |
||
+ | "*" => "WeBWorK::Authen::Shibboleth", |
||
+ | }; |
||
+ | </pre> |
||
+ | |||
+ | Add the following lines at the bottom and change the Shibboleth handler accordingly. |
||
<pre> |
<pre> |
||
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url; |
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url; |
||
Line 82: | Line 82: | ||
</pre> |
</pre> |
||
</ol> |
</ol> |
||
− | |||
== Credits == |
== Credits == |
Revision as of 18:46, 24 January 2014
This page is the instructions for how to enable Shibboleth authentication system for WeBWorK.
NOTES:
- The installation is based on Redhat Enterprise Linux 5.7. The installation for your distribution may vary. Please see the installation guide from Shibboleth website.
- The shibboleth2.xml is generated by UBC IT shibboleth Configuration generation form. If you use the one distributed with Shibboleth SP, you will need to modified to fit your environment.
- WeBWorK is configured on web root, instead of /webwork2. If your webwork is under a path, you will need to modified the shibboleth protection regular expression in shib.conf step 2.
Install Shibboleth
- Install Shibboleth from repo
- Change configuration
- httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.
- httpd.conf: Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
- Shibboleth2xml: Copy Shibboleth2.xml to /etc/shibboleth or change/create the Shibboleth2.xml
- Under RequestMap, set up host. Your applicationid is not necessary the same as your hostname.
- Change the ApplicationDefault or ApplicationOverride
- Meta file and attribute map: Copy IdP meta file or/and attribute map into /etc/shibboleth
- webwork.apache2-config: exempt Shibboleth from being handled by Appache::WeBWork in line 148
- shib.conf: Apache Shibboleth configuration. Add the following directive
- global.conf: webwork main configuration file (or localOverride.conf for newer version of WeBWorK): Change/Add the following to enable shibboleth authentication:
- Start Shib
- Restart Apache
cd /etc/yum.repos.d/ sudo wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo sudo yum install shibboleth
<Host name="YOUR_WEBWORK_HOSTNAME" applicationId="YOUR_WEBWORK_HOSTNAME" authType="shibboleth" requireSession="true" exportAssertion="false" redirectToSSL="443"> </Host>
<ApplicationOverride id="YOUR_HOSTNAME" entityID="https://YOUR_HOSTNAME/shibboleth-sp" homeURL="YOUR_WEBWORK_HOME_URL" REMOTE_USER="eppn" />
if ($webwork_url eq "/") { $Location{$webwork_courses_url} = { SetHandler => "none" }; $Location{$webwork_htdocs_url} = { SetHandler => "none" }; $Location{"/Shibboleth.sso"} = { SetHandler => "none" }; # add this $Location{"/shibboleth-sp"} = { SetHandler => "none" }; # add this }
<LocationMatch ^/[^webwork2_files|^webwork2_course_files]> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </LocationMatch>
$authen{user_module} = { "*" => "WeBWorK::Authen::Shibboleth", };
Add the following lines at the bottom and change the Shibboleth handler accordingly.
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url; $shibboleth{session_header} = "Shib-Session-ID"; # the header to identify if there is an existing shibboleth session $shibboleth{manage_session_timeout} = 1; # allow shib to manage session time instead of webwork $shibboleth{hash_user_id_method} = "MD5"; # possible values none, MD5. Use it when you want to hide real user_ids from showing in url. $shibboleth{hash_user_id_salt} = ""; # salt for hash function #define mapping between shib and webwork $shibboleth{mapping}{user_id} = 'puid';
sudo /sbin/service shibd start
sudo /sbin/service httpd restart
Credits
Pan Luo[1] (Centre for Teaching, Learning and Technology, University of British Columbia) wrote the WeBWorK::Authen::Shibboleth module, based on existing Cosign WeBWorK authentication module.