Difference between revisions of "Shibboleth and other auth modules"
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Prerequisites == | == Prerequisites == | ||
− | * installed functional Shibboleth | + | * installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document. |
+ | * installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon) | ||
== How does it work == | == How does it work == | ||
Line 9: | Line 10: | ||
== Configuration == | == Configuration == | ||
− | * enable it with GUI->Settings->System configuration : Use Shibboleth for auth | + | * enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth |
− | * it still requires some GUI's users for | + | * it still requires some GUI's users for privileges settings |
− | * One user can be setup as default user for Shibboleth. See 'Default Shibboleth account' checkbox in GUI->Users & Audit->Users -> selected user | + | * One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user |
== Usage == | == Usage == | ||
− | * after the Shibboleth auth the GUI's Shibboleth button will appear in GUI login dialog | + | * after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog |
* after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges | * after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges | ||
− | * if an user is not found then the user with set checkbox 'Default Shibboleth account' is used (if set) | + | * if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set) |
* login is done | * login is done | ||
− | == | + | == Logout == |
− | + | ||
+ | * the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string. | ||
+ | * if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER | ||
+ | |||
+ | == Disable Login window == | ||
+ | |||
+ | * you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely | ||
+ | |||
+ | == User's language setting == | ||
+ | |||
+ | * if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user | ||
+ | |||
+ | == Usage with custom login script == | ||
+ | |||
+ | * it's working | ||
+ | * the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in [[WEB_API#Custom_Login]] | ||
+ | * Note: the GUI's internal users have precedence before custom login users |
Latest revision as of 13:39, 11 March 2024
Prerequisites
- installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
- installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)
How does it work
When enabled in the GUI settings then the GUI search for the REMOTE_USER header (provided by Shibboleth sp) and uses it as auth user.
Configuration
- enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
- it still requires some GUI's users for privileges settings
- One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user
Usage
- after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
- after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges
- if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
- login is done
Logout
- the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
- if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER
Disable Login window
- you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
User's language setting
- if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user
Usage with custom login script
- it's working
- the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in WEB_API#Custom_Login
- Note: the GUI's internal users have precedence before custom login users