Difference between revisions of "External (Shibboleth) Authentication"
Jump to navigation
Jump to search
(Created page with "This page is the instructions for how to enable Shibboleth authentication system for WeBWorK. '''NOTES''': * The installation is based on Redhat Enterprise Linux 5.7. The in...") |
|||
Line 1: | Line 1: | ||
− | This page is the instructions for how to enable Shibboleth authentication system for WeBWorK. |
+ | This page is the instructions for how to enable [http://en.wikipedia.org/wiki/Shibboleth_(Internet2) Shibboleth] authentication system for WeBWorK. |
'''NOTES''': |
'''NOTES''': |
||
Line 82: | Line 82: | ||
</pre> |
</pre> |
||
</ol> |
</ol> |
||
+ | |||
+ | |||
+ | == Credits == |
||
+ | |||
+ | Pan Luo[mailto:webwork.support@ubc.ca] (Centre for Teaching, Learning and Technology, University of British Columbia) wrote the WeBWorK::Authen::Shibboleth module, based on existing [[External (Cosign) Authentication|Cosign WeBWorK authentication module]]. |
||
+ | |||
+ | [[Category:Administrators]] |
Revision as of 18:59, 27 January 2012
This page is the instructions for how to enable Shibboleth authentication system for WeBWorK.
NOTES:
- The installation is based on Redhat Enterprise Linux 5.7. The installation for your distribution may vary. Please see the installation guide from Shibboleth website.
- The shibboleth2.xml is generated by UBC IT shibboleth Configuration generation form. If you use the one distributed with Shibboleth SP, you will need to modified to fit your environment.
- WeBWorK is configured on web root, instead of /webwork2. If your webwork is under a path, you will need to modified the shibboleth protection regular expression in shib.conf step 2.
Install Shibboleth
- Install Shibboleth from repo
- Change configuration
- httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.
- httpd.conf: Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
- Shibboleth2xml: Copy Shibboleth2.xml to /etc/shibboleth or change/create the Shibboleth2.xml
- Under RequestMap, set up host. Your applicationid is not necessary the same as your hostname.
- Change the ApplicationDefault or ApplicationOverride
- Meta file and attribute map: Copy IdP meta file or/and attribute map into /etc/shibboleth
- webwork.apache2-config: exempt Shibboleth from being handled by Appache::WeBWork in line 148
- shib.conf: Apache Shibboleth configuration. Add the following directive
- global.conf: webwork main configuration file. Add the following lines at the bottom and change the Shibboleth handler accordingly.
- Start Shib
- Restart Apache
cd /etc/yum.repos.d/ sudo wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo sudo yum install shibboleth
<Host name="YOUR_WEBWORK_HOSTNAME" applicationId="YOUR_WEBWORK_HOSTNAME" authType="shibboleth" requireSession="true" exportAssertion="false" redirectToSSL="443"> </Host>
<ApplicationOverride id="YOUR_HOSTNAME" entityID="https://YOUR_HOSTNAME/shibboleth-sp" homeURL="YOUR_WEBWORK_HOME_URL" REMOTE_USER="eppn" />
if ($webwork_url eq "/") { $Location{$webwork_courses_url} = { SetHandler => "none" }; $Location{$webwork_htdocs_url} = { SetHandler => "none" }; $Location{"/Shibboleth.sso"} = { SetHandler => "none" }; # add this $Location{"/shibboleth-sp"} = { SetHandler => "none" }; # add this }
<LocationMatch ^/[^webwork2_files|^webwork2_course_files]> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </LocationMatch>
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url; $shibboleth{session_header} = "Shib-Session-ID"; # the header to identify if there is an existing shibboleth session $shibboleth{manage_session_timeout} = 1; # allow shib to manage session time instead of webwork $shibboleth{hash_user_id_method} = "MD5"; # possible values none, MD5. Use it when you want to hide real user_ids from showing in url. $shibboleth{hash_user_id_salt} = ""; # salt for hash function #define mapping between shib and webwork $shibboleth{mapping}{user_id} = 'puid';
sudo /sbin/service shibd start
sudo /sbin/service httpd restart
Credits
Pan Luo[1] (Centre for Teaching, Learning and Technology, University of British Columbia) wrote the WeBWorK::Authen::Shibboleth module, based on existing Cosign WeBWorK authentication module.