Shibboleth and other auth modules: Difference between revisions
Jump to navigation
Jump to search
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Prerequisites == | == Prerequisites == | ||
* installed functional Shibboleth | * installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document. | ||
* installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon) | |||
* the assumption for the GUI is that the web server to the all work and the GUI only receives the result. So if you try to reach the GUI then the webserver (with auth module) don't allow the access to the GUI without auth. So the webserver does all necessary redirects. | |||
== How does it work == | == How does it work == | ||
When enabled in the GUI settings then the GUI search for the REMOTE_USER | When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user (Login name). | ||
== Configuration == | == Configuration == | ||
* enable it with GUI->Settings->System configuration : Use Shibboleth for auth | * enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth | ||
* it still requires some GUI's users for | * it still requires some GUI's users for privileges settings | ||
* One user can be setup as default user for Shibboleth. See 'Default Shibboleth account' checkbox in GUI->Users & Audit->Users -> selected user | * One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user | ||
== Usage == | == Usage == | ||
* after the Shibboleth auth the GUI's Shibboleth button will appear in GUI login dialog | * after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog | ||
* after clicking on this button the content of REMOTE_USER | * after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges | ||
* if an user is not found then the user with set checkbox 'Default Shibboleth account' is used (if set) | * if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set) | ||
* login is done | * login is done | ||
== | == Logout == | ||
* the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string. | |||
* if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER | |||
== Disable Login window == | |||
* you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely | |||
== User's language setting == | |||
* if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user | |||
== Usage with custom login script == | |||
* it's working | |||
* the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in [[WEB_API#Custom_Login]] | |||
* Note: the GUI's internal users have precedence before custom login users | |||
Latest revision as of 12:05, 20 May 2025
Prerequisites
- installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
- installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)
- the assumption for the GUI is that the web server to the all work and the GUI only receives the result. So if you try to reach the GUI then the webserver (with auth module) don't allow the access to the GUI without auth. So the webserver does all necessary redirects.
How does it work
When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user (Login name).
Configuration
- enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
- it still requires some GUI's users for privileges settings
- One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user
Usage
- after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
- after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges
- if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
- login is done
Logout
- the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
- if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER
Disable Login window
- you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
User's language setting
- if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user
Usage with custom login script
- it's working
- the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in WEB_API#Custom_Login
- Note: the GUI's internal users have precedence before custom login users