Shibboleth v0.8

→ For Mconf-Web version 0.8.

Introduction

Shibboleth is a solution that allows federated "single sign-in". In brief, this is how it works:

Users access services provided by "service providers" (e.g. a web application like Mconf-Web), but his authentication is made through an entity called "identity provider".
The service provider redirects the users to an identity provider, the user enters his credentials, the identity provider validates the credentials and redirects the user back to the service provider.
The service provider receives just a controlled set of information of the user, such as his name and email. The user will trust his credentials to the identity provider only, and not to the service providers.

You can read more about it here and here.

How it works in Mconf-Web

Mconf-Web is ready to be used as a Shibboleth service provider using the shibboleth module for Apache.

Once the shibboleth module is installed and configured, when a user is redirected to the url /secure in your Mconf-Web server, the shibboleth module will redirect the user to the identity provider configured. After the authentication the identity provider redirects the user back to Mconf-Web.

Mconf-Web will have access only to the information the identity provider returns. With this information a new account will be created automatically in Mconf-Web for the user. This happens only in the first access: in subsequent accesses the user will just access his account that is already created. On the first access the user has also the option to associate his federated account with an account on Mconf-Web, in case the user already had an account created on Mconf-Web.

Install and configure Apache's Shibboleth module

The configuration of a Shibboleth service provider is usually different for different federations. Some steps are shared in all installations, but some others are unique and depend on how the federation (and the identity providers) is configured. In this page we will show a guide with all the steps we use to configure Mconf-Web for the federation mconf.org is integrated with: CAFe. You can use it as a guide, but we strongly recommend also getting help from the people responsible for the federation you want to integrate Mconf-Web with.

This guide is strongly based on: http://wiki.rnp.br/pages/viewpage.action?pageId=41616305

Prerequisites

You need a server with Mconf-Web up and running (obviously). See this guide.
Your Mconf-Web server needs to be using HTTPS (SSL) already. See this guide.

Installation

Install Apache's module for Shibboleth:

$ sudo apt-get install libapache2-mod-shib2

Enable it:

$ sudo a2enmod shib2

Configuration

You need to configure your site in Apache to trigger the Shibboleth authentication when a user accesses the path /secure. To do that, add the contents of the file config/webserver/apache2_shibboleth.example to the bottom of your /etc/apache2/sites-available/mconf-web-ssl, just before the closing </VirtualHost> tag.

Then configure how the Shibboleth module will communicate with the identity provider. This step will probably be different for other federations, this is just and example of what has to be configured.

Create these 3 files (if they already exist, replace their contents):

/etc/shibboleth/shibboleth2.xml with the contents from step 8 in this guide (in Portuguese).
/etc/shibboleth/attribute-map.xml with the contents from step 9 in this guide (in Portuguese).
/etc/shibboleth/attribute-policy.xml with the contents from step 10 in this guide (in Portuguese).

In the files created, you will have to replace the following variables:

$HOSTNAME: the host name of your server, e.g. server.institution.com.

The last step is to create a metadata file with information about your server. This file has to be added in the metadata used by the identity provider for your application to be able to access it. The format of this file might change depending on the target federation. You can see an example of the metadata in the step 11 in this guide (in Portuguese). In this example that are several things that should be replaced, including the variables:

$HOSTNAME: the host name of your server, e.g. server.my-institution.com;
$INSTITUICAO: the name of your institution, e.g. My Institution;
$DOMINIO_INST: the domain of your institution, e.g. my-institution.com.

Enable and configure Shibboleth inside Mconf-Web

Having your server configured, you now have to enable and configure Shibboleth inside Mconf-Web.

Go to the management area and you will see some parameters used to configure Shibboleth. They are:

Enable Shibboleth: If checked it will enable the login via Shibboleth and add information in the interface for the user to select it.
Shibboleth environment variables: When the identity provider returns the user's information to Mconf-Web, they will be stored in environment variables. You can define in this field the name of the variables that will be read and stored within the session. If left empty, all variables that start with shib- will be fetched.
Shibboleth field for email: The name of the variable that will be used as the user's email.
Shibboleth field for name: The name of the variable that will be used as the user's full name.
Shibboleth field for login: The name of the variable that will be used as the user's login.

You can see in the picture below an example of how these fields can be configured:

Shibboleth configurations in the user interface

This is the technical documentation for Mconf-Web, a component of Mconf. Read more about the project and try it out at mconf.org.

Home
Releases
Changelog
FAQ
Translating the application
Latest stable version (2.x.x)
- Deployment
- More on deployment:
Development version (from branch master)
- Development
Previous version (0.8.x)
- Deployment
- Development

Provide feedback

Saved searches

Use saved searches to filter your results more quickly