Difference between revisions of "Shibboleth and other auth modules"
Jump to navigation
Jump to search
m (Milan moved page Shibboleth auth to Shibboleth and other auth modules) |
|||
| Line 1: | Line 1: | ||
== Prerequisites == | == Prerequisites == | ||
| − | * installed functional Shibboleth | + | * installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document. |
| + | * installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon) | ||
== How does it work == | == How does it work == | ||
| Line 9: | Line 10: | ||
== Configuration == | == Configuration == | ||
| − | * enable it with GUI->Settings->System configuration : Use Shibboleth for auth | + | * enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth |
* it still requires some GUI's users for privileges settings | * it still requires some GUI's users for privileges settings | ||
| − | * One user can be setup as default user for Shibboleth. See 'Default Shibboleth account' checkbox in GUI->Users & Audit->Users -> selected user | + | * One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user |
== Usage == | == Usage == | ||
| − | * after the Shibboleth auth the GUI's Shibboleth button will appear in GUI login dialog | + | * after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog |
* after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges | * after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges | ||
| − | * if an user is not found then the user with set checkbox 'Default Shibboleth account' is used (if set) | + | * if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set) |
* login is done | * login is done | ||
| − | == | + | == Logout == |
| − | + | ||
| + | * the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string. | ||
| + | * if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER | ||
| + | |||
| + | == Disable Login window == | ||
| + | |||
| + | * you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely | ||
Revision as of 13:26, 26 February 2024
Prerequisites
- installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
- installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)
How does it work
When enabled in the GUI settings then the GUI search for the REMOTE_USER header (provided by Shibboleth sp) and uses it as auth user.
Configuration
- enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
- it still requires some GUI's users for privileges settings
- One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user
Usage
- after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
- after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges
- if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
- login is done
Logout
- the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
- if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER
Disable Login window
- you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely