Shibboleth and other auth modules: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
 
Line 1: Line 1:
== Prerequisites ==
== Shibboleth/REMOTE_USER Authentication ==


* installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
This feature integrates external authentication (e.g., Shibboleth) with VoIPmonitor GUI using the REMOTE_USER server variable.
* installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)
* the assumption for the GUI is that the web server does the all work and the GUI only receives the result. So if you try to reach the GUI then the webserver (with auth module) don't allow the access to the GUI without auth. So the webserver does all necessary redirects.


== How does it work ==
=== Prerequisites ===


When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user (Login name).
* Installed and functional Shibboleth module in Apache2 (or similar software). Installation is beyond this document's scope.
* Any auth module that sends username via REMOTE_USER (e.g., mod_auth_openidc or mod_auth_mellon).
* Web server handles all authentication; GUI receives only the result. Access to GUI redirects for auth if needed.


== Configuration ==
=== How It Works ===


* enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
When enabled, GUI checks REMOTE_USER (from Shibboleth SP) and uses it as login name.
* it still requires some GUI's users for privileges settings
* One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user


== Usage ==
=== Configuration ===


* after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
* Enable in '''GUI > Settings > System Configuration > Use Shibboleth/REMOTE_USER for auth'''.
* after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges
* GUI users still required for privileges.
* if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
* Set one user as default for Shibboleth via '''GUI > Users & Audit > Users > Selected User > Default Shibboleth/REMOTE_USER account''' checkbox.
* login is done


== Logout ==
=== Usage ===


* the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
* After auth, Shibboleth/REMOTE_USER button appears in GUI login dialog.
* if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER
* Clicking uses REMOTE_USER as GUI user for privileges.
* If user not found, default Shibboleth user is used (if set).
* Login completes.


== Disable Login window ==
=== Logout ===


* you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
* Logout URL constructed from Shib-Handler header + '/Logout', or HTTP_HOST + '/Shibboleth.sso/Logout'.
* Set custom URL in '''GUI > Settings > System Configuration > Logout URL for Shibboleth/REMOTE_USER'''.


== User's language setting ==
=== Disable Login Window ===


* if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user
* Disable completely in '''GUI > Settings > System Configuration > Disable login window completely'''.


== Usage with custom login script ==
=== User's Language Setting ===


* it's working
* With login window disabled, set per-user language in '''GUI > Users & Audit > Users > Selected User'''.
* the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in [[WEB_API#Custom_Login]]
 
* Note: the GUI's internal users have precedence before custom login users
=== Usage with Custom Login Script ===
 
* Compatible; REMOTE_USER passed to script.
* Script must return structure as in [[WEB_API#Custom_Login]].
* Note: Internal GUI users take precedence over custom login users.
 
=== AI Summary for RAG ===
 
'''Summary:''' This article covers integrating Shibboleth or REMOTE_USER authentication with VoIPmonitor GUI, including prerequisites, configuration, usage, logout, disabling login window, language settings, and custom script compatibility.
 
'''Keywords:''' Shibboleth, REMOTE_USER, authentication, GUI settings, privileges, logout URL, custom login script, default account
 
'''Key Questions:'''
* What are prerequisites for Shibboleth/REMOTE_USER auth?
* How does REMOTE_USER authentication work in VoIPmonitor?
* How to configure Shibboleth auth in GUI?
* What happens during Shibboleth login usage?
* How is logout handled for Shibboleth?
* Can the login window be disabled?
* How to set user language without login window?
* Is it compatible with custom login scripts?

Latest revision as of 14:23, 10 November 2025

Shibboleth/REMOTE_USER Authentication

This feature integrates external authentication (e.g., Shibboleth) with VoIPmonitor GUI using the REMOTE_USER server variable.

Prerequisites

  • Installed and functional Shibboleth module in Apache2 (or similar software). Installation is beyond this document's scope.
  • Any auth module that sends username via REMOTE_USER (e.g., mod_auth_openidc or mod_auth_mellon).
  • Web server handles all authentication; GUI receives only the result. Access to GUI redirects for auth if needed.

How It Works

When enabled, GUI checks REMOTE_USER (from Shibboleth SP) and uses it as login name.

Configuration

  • Enable in GUI > Settings > System Configuration > Use Shibboleth/REMOTE_USER for auth.
  • GUI users still required for privileges.
  • Set one user as default for Shibboleth via GUI > Users & Audit > Users > Selected User > Default Shibboleth/REMOTE_USER account checkbox.

Usage

  • After auth, Shibboleth/REMOTE_USER button appears in GUI login dialog.
  • Clicking uses REMOTE_USER as GUI user for privileges.
  • If user not found, default Shibboleth user is used (if set).
  • Login completes.

Logout

  • Logout URL constructed from Shib-Handler header + '/Logout', or HTTP_HOST + '/Shibboleth.sso/Logout'.
  • Set custom URL in GUI > Settings > System Configuration > Logout URL for Shibboleth/REMOTE_USER.

Disable Login Window

  • Disable completely in GUI > Settings > System Configuration > Disable login window completely.

User's Language Setting

  • With login window disabled, set per-user language in GUI > Users & Audit > Users > Selected User.

Usage with Custom Login Script

  • Compatible; REMOTE_USER passed to script.
  • Script must return structure as in WEB_API#Custom_Login.
  • Note: Internal GUI users take precedence over custom login users.

AI Summary for RAG

Summary: This article covers integrating Shibboleth or REMOTE_USER authentication with VoIPmonitor GUI, including prerequisites, configuration, usage, logout, disabling login window, language settings, and custom script compatibility.

Keywords: Shibboleth, REMOTE_USER, authentication, GUI settings, privileges, logout URL, custom login script, default account

Key Questions:

  • What are prerequisites for Shibboleth/REMOTE_USER auth?
  • How does REMOTE_USER authentication work in VoIPmonitor?
  • How to configure Shibboleth auth in GUI?
  • What happens during Shibboleth login usage?
  • How is logout handled for Shibboleth?
  • Can the login window be disabled?
  • How to set user language without login window?
  • Is it compatible with custom login scripts?
Retrieved from "https://www.voipmonitor.org//doc/index.php?title=Shibboleth_and_other_auth_modules&oldid=5728"