Difference between revisions of "External (Shibboleth) Authentication"

From WeBWorK_wiki
Jump to navigation Jump to search
(Add note about information here being outdated.)
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
  +
{{Outdated}}
  +
  +
Shibboleth authentication is still supported in WeBWorK, but these instructions are out of date. For WeBWorK 2.19 you should consult the conf/authen_shibboleth.conf.dist file for more recent information about configuring Shibboleth authentication.
  +
 
This page is the instructions for how to enable [http://en.wikipedia.org/wiki/Shibboleth_(Internet2) Shibboleth] authentication system for WeBWorK.
 
This page is the instructions for how to enable [http://en.wikipedia.org/wiki/Shibboleth_(Internet2) Shibboleth] authentication system for WeBWorK.
   
Line 5: Line 9:
 
* The shibboleth2.xml is generated by UBC IT shibboleth Configuration generation form. If you use the one distributed with Shibboleth SP, you will need to modified to fit your environment.
 
* The shibboleth2.xml is generated by UBC IT shibboleth Configuration generation form. If you use the one distributed with Shibboleth SP, you will need to modified to fit your environment.
 
* WeBWorK is configured on web root, instead of /webwork2. If your webwork is under a path, you will need to modified the shibboleth protection regular expression in shib.conf step 2.
 
* WeBWorK is configured on web root, instead of /webwork2. If your webwork is under a path, you will need to modified the shibboleth protection regular expression in shib.conf step 2.
 
  +
* At the time of writing, there were '''breaking changes to Shibboleth after webwork v2.14'''. See https://github.com/openwebwork/webwork2/issues/1844 details.
 
==Install Shibboleth==
 
==Install Shibboleth==
   
Line 20: Line 24:
 
<li>httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.</li>
 
<li>httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.</li>
 
<li>httpd.conf: Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.</li>
 
<li>httpd.conf: Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.</li>
<li>Shibboleth2xml: Copy Shibboleth2.xml to /etc/shibboleth or change/create the Shibboleth2.xml</li>
+
<li>shibboleth2xml: Copy shibboleth2.xml to /etc/shibboleth or change/create the shibboleth2.xml</li>
 
<ul>
 
<ul>
 
<li>Under RequestMap, set up host. Your applicationid is not necessary the same as your hostname.</li>
 
<li>Under RequestMap, set up host. Your applicationid is not necessary the same as your hostname.</li>
Line 42: Line 46:
   
 
<li>Meta file and attribute map: Copy IdP meta file or/and attribute map into /etc/shibboleth</li>
 
<li>Meta file and attribute map: Copy IdP meta file or/and attribute map into /etc/shibboleth</li>
  +
<li>Be sure to extract an attribute suitable for a username within attribute-map.xml. A few eduPerson attributes, including eppn, are extracted by default. If your identity provider releases a uid attribute, then you'll need to extract that by adding/uncommenting that mapping. eduPersonPrincipalName (eppn), uid, persistant-id are common options.
  +
<pre>
  +
...
  +
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
  +
...
  +
</pre>
 
<li>webwork.apache2-config: exempt Shibboleth from being handled by Appache::WeBWork in line 148</li>
 
<li>webwork.apache2-config: exempt Shibboleth from being handled by Appache::WeBWork in line 148</li>
 
<pre>
 
<pre>
Line 53: Line 63:
 
<li>shib.conf: Apache Shibboleth configuration. Add the following directive</li>
 
<li>shib.conf: Apache Shibboleth configuration. Add the following directive</li>
 
<pre>
 
<pre>
<LocationMatch ^/[^webwork2_files|^webwork2_course_files]>
 
  +
# allows anonymous course selection, but requires authentication from then on
  +
<LocationMatch ^/webwork2/.+>
 
AuthType shibboleth
 
AuthType shibboleth
 
ShibRequestSetting requireSession 1
 
ShibRequestSetting requireSession 1
Line 64: Line 75:
 
<pre>
 
<pre>
 
$authen{user_module} = {
 
$authen{user_module} = {
"*" => "WeBWorK::Authen::Shibboleth",
+
"*" => "WeBWorK::Authen::Shibboleth",
 
};
 
};
 
</pre>
 
</pre>
Line 70: Line 81:
 
Add the following lines at the bottom and change the Shibboleth handler accordingly.
 
Add the following lines at the bottom and change the Shibboleth handler accordingly.
 
<pre>
 
<pre>
  +
$shibboleth{login_script} = "/Shibboleth.sso/Login";
 
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url;
 
$shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url;
 
$shibboleth{session_header} = "Shib-Session-ID"; # the header to identify if there is an existing shibboleth session
 
$shibboleth{session_header} = "Shib-Session-ID"; # the header to identify if there is an existing shibboleth session
Line 75: Line 87:
 
$shibboleth{hash_user_id_method} = "MD5"; # possible values none, MD5. Use it when you want to hide real user_ids from showing in url.
 
$shibboleth{hash_user_id_method} = "MD5"; # possible values none, MD5. Use it when you want to hide real user_ids from showing in url.
 
$shibboleth{hash_user_id_salt} = ""; # salt for hash function
 
$shibboleth{hash_user_id_salt} = ""; # salt for hash function
#define mapping between shib and webwork
+
# define mapping between shib and webwork
$shibboleth{mapping}{user_id} = 'puid';
+
# use the id value of one of attributes being provided/extracted in shibboleth/attribute-map.xml
  +
# eppn, uid, persistant-id are common choices
  +
#$shibboleth{mapping}{user_id} = 'eppn';
  +
$shibboleth{mapping}{user_id} = 'uid';
 
</pre>
 
</pre>
 
</ul>
 
</ul>

Latest revision as of 14:26, 12 November 2024

Outdated IMPORTANT: The content of this page is outdated. Do not rely on the information contained in this page.

Shibboleth authentication is still supported in WeBWorK, but these instructions are out of date. For WeBWorK 2.19 you should consult the conf/authen_shibboleth.conf.dist file for more recent information about configuring Shibboleth authentication.

This page is the instructions for how to enable Shibboleth authentication system for WeBWorK.

NOTES:

  • The installation is based on Redhat Enterprise Linux 5.7. The installation for your distribution may vary. Please see the installation guide from Shibboleth website.
  • The shibboleth2.xml is generated by UBC IT shibboleth Configuration generation form. If you use the one distributed with Shibboleth SP, you will need to modified to fit your environment.
  • WeBWorK is configured on web root, instead of /webwork2. If your webwork is under a path, you will need to modified the shibboleth protection regular expression in shib.conf step 2.
  • At the time of writing, there were breaking changes to Shibboleth after webwork v2.14. See https://github.com/openwebwork/webwork2/issues/1844 details.

Install Shibboleth

  1. Install Shibboleth from repo
  2. cd /etc/yum.repos.d/
    sudo wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo
    sudo yum install shibboleth
    
  3. Change configuration
    • httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.
    • httpd.conf: Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
    • shibboleth2xml: Copy shibboleth2.xml to /etc/shibboleth or change/create the shibboleth2.xml
      • Under RequestMap, set up host. Your applicationid is not necessary the same as your hostname.
      •  <Host name="YOUR_WEBWORK_HOSTNAME" 
                          applicationId="YOUR_WEBWORK_HOSTNAME"  
                          authType="shibboleth" 
                          requireSession="true" 
                          exportAssertion="false"
                          redirectToSSL="443">
        </Host>
        
      • Change the ApplicationDefault or ApplicationOverride
      • <ApplicationOverride id="YOUR_HOSTNAME"
                                     entityID="https://YOUR_HOSTNAME/shibboleth-sp"
                                     homeURL="YOUR_WEBWORK_HOME_URL"
                                     REMOTE_USER="eppn" />
        
    • Meta file and attribute map: Copy IdP meta file or/and attribute map into /etc/shibboleth
    • Be sure to extract an attribute suitable for a username within attribute-map.xml. A few eduPerson attributes, including eppn, are extracted by default. If your identity provider releases a uid attribute, then you'll need to extract that by adding/uncommenting that mapping. eduPersonPrincipalName (eppn), uid, persistant-id are common options.
      ...
      <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
      ...
      
    • webwork.apache2-config: exempt Shibboleth from being handled by Appache::WeBWork in line 148
    • if ($webwork_url eq "/") {
              $Location{$webwork_courses_url} = { SetHandler => "none" };
              $Location{$webwork_htdocs_url} = { SetHandler => "none" };
              $Location{"/Shibboleth.sso"} = { SetHandler => "none" }; # add this
              $Location{"/shibboleth-sp"} = { SetHandler => "none" };  # add this
      }
      
    • shib.conf: Apache Shibboleth configuration. Add the following directive
    • # allows anonymous course selection, but requires authentication from then on 
      <LocationMatch ^/webwork2/.+>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        require valid-user
      </LocationMatch>
      
    • global.conf: webwork main configuration file (or localOverride.conf for newer version of WeBWorK):
    • Change/Add the following to enable shibboleth authentication:
      $authen{user_module} = {
             "*" => "WeBWorK::Authen::Shibboleth",
      };
      

      Add the following lines at the bottom and change the Shibboleth handler accordingly.

      $shibboleth{login_script} = "/Shibboleth.sso/Login";
      $shibboleth{logout_script} = "/Shibboleth.sso/Logout?return=".$server_root_url.$webwork_url;
      $shibboleth{session_header} = "Shib-Session-ID"; # the header to identify if there is an existing shibboleth session
      $shibboleth{manage_session_timeout} = 1; # allow shib to manage session time instead of webwork
      $shibboleth{hash_user_id_method} = "MD5"; # possible values none, MD5. Use it when you want to hide real user_ids from showing in url. 
      $shibboleth{hash_user_id_salt} = ""; # salt for hash function
      # define mapping between shib and webwork
      # use the id value of one of attributes being provided/extracted in shibboleth/attribute-map.xml
      # eppn, uid, persistant-id are common choices
      #$shibboleth{mapping}{user_id} = 'eppn'; 
      $shibboleth{mapping}{user_id} = 'uid';
      
  4. Start Shib
  5. sudo /sbin/service shibd start
    
  6. Restart Apache
  7. sudo /sbin/service httpd restart
    

Credits

Pan Luo[1] (Centre for Teaching, Learning and Technology, University of British Columbia) wrote the WeBWorK::Authen::Shibboleth module, based on existing Cosign WeBWorK authentication module.