Versions Compared

Old Version 9

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 10

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), you may also need to create one for HTTP (*:80)
<VirtualHost *:443>
   ...
   # PLEASE NOTE: We have omitted many settings (ServerName, LogLevel, SSLCertificateFile, etc) 
   # which you may need/want to add to your VirtualHost
   
   # As long as Shibboleth module is installed, Enable all Shibboleth related settings
   <IfModule mod_shib>
       # Shibboleth recommends turning on UseCanonicalName
       # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
       UseCanonicalName On

       # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users 
       # can access DSpace content without first authenticating via Shib. 
       # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated
       # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive
       <Location />
         AuthType shibboleth
         ShibRequireSession Off
         require shibboleth
         # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your DSpace, 
         # then you may need to tell Apache which "id" to redirect Shib requests to. 
         # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value.
         #ShibRequestSetting applicationId my-dspace-id
       </Location>

       # If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib
       <Location "/shibboleth-login">
         AuthType shibboleth
         ShibRequireSession On
         # DSpace requires using Shibboleth Headers. So this MUST be "On"
         ShibUseHeaders On
         require valid-user
       </Location>
         
       # Ensure /Shibboleth.sso path (in Apache) can be accessed
       # By default it may be inaccessible if your Apache security is tight.
       <Location "/Shibboleth.sso">
         Order deny,allow
         Allow from all
         # Also ensure Shibboleth/mod_shib responds to this path
         SetHandler shib
       </Location>
 
       # Finally, optionally ensure that requests to /Shibboleth.sso are NOT redirected 
       # to Tomcat (as they will be handled by mod_shib instead).
       # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING PROXYPASS TO REDIRECT
       # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8080/)
       # ProxyPass /Shibboleth.sso !
   </IfModule>
 
   ...
 
</VirtualHost>

 

DSpace Shibboleth Configuration Options

Authentication Methods:

DSpace supports authentication using NetID, or email address. A user's NetID is a unique identifier from the IdP that identifies a particular user. The NetID can be of almost any form such as a unique integer, string, or with Shibboleth 2.0 you can use "targeted ids". You will need to coordinate with your shibboleth federation or identity provider. There are three ways to supply identity information to DSpace:

...

Configuration File:

[dspace]/config/modules/authentication-shibboleth.cfg

Property:

lazysession

Example Value:

lazysession = true

Informational Note:

Whether to use lazy sessions or active sessions. For more DSpace instances, you will likely want to use lazy sessions. Active sessions will force every user to authenticate via Shibboleth before they can access your DSpace (essentially resulting in a "dark archive").

Property:

lazysession.loginurl

Example Value:

lazysession.loginurl = /Shibboleth.sso/Login

Informational Note:

The url to start a shibboleth session (only for lazy sessions). Generally this setting will be "/Shibboleth.sso/Login"

Property:

lazysession.secure

Example Value:

lazysession.secure = true

Informational Note:

Force HTTPS when authenticating (only for lazy sessions). Generally this is recommended to be "true".

Property:

netid-header

Example Value:

netid-header = SHIB-NETID

Informational Note:

The HTTP header where shibboleth will supply a user's NetID. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

email-header

Example Value:

email-header = SHIB-MAIL

Informational Note:

The HTTP header where the shibboleth will supply a user's email address. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

email-use-tomcat-remote-user

Example Value:

email-use-tomcat-remote-user = false

Informational Note:

Used when a netid or email heades headers are not available should shibboleth Shibboleth authentication fall back to using Tomcat's remote user feature? Generally this is not recommended. See the "Authentication Methods" section above.

Property:

autoregister

Example Value:

autoregister = true

Informational Note:

Should we allow new users to be registered automatically?

Property:

sword.compatability

Example Value:

sword.compatability = true

Informational Note:

Sword compatability will allow this authentication method to work when using sword. Sort relies on username and password based authentication and is entirely incapable of supporting shibboleth. This option allows you to authenticate username and passwords for sword sessions with out adding another authentication method onto the stack. You will need to ensure that a user has a password. One way to do that is to create the user via the create-administrator command line command and then edit their permissions.

Property:

firstname-header

Example Value:

firstname-header = SHIB_GIVENNAME

Informational Note:

The HTTP header where the shibboleth will supply a user's given name. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

lastname-header

Example Value:

lastname-header = SHIB_SN

Informational Note:

The HTTP header where the shibboleth will supply a user's sur namesurname. This HTTP header should be specified as an Attribute within your Shibboleth "attribute-map.xml" configuration file.

Property:

eperson.metadata

Example Value:

Code Block
eperson.metadata = \
 SHIB-telephone => phone, \
 SHIB-cn => cn

Informational Note:

Additional user attributes mapping, multiple attributes may be stored
 for for each user. The left side is the Shibboleth-based metadata Header
 and and the right side is the eperson metadata field to map the attribute to.

Property:

eperson.metadata.autocreate

Example Value:

eperson.metadata.autocreate = true

Informational Note:

If the eperson metadata field is not found, should it be automatically created?

Property:

role-header

Example Value:

role-header = SHIB_SCOPED_AFFILIATION

Informational Note:

The shibboleth header to do role-based mappings (see section on roll based mapping section above)

Property:

role-header.ignore-scope

Example Value:

role-header.ignore-scope = true

Informational Note:

Weather to ignore the attribute's scope (everything after the @ sign for scoped attributes)

Property:

role-header.ignore-value

Example Value:

role-header.ignore-value = false

Informational Note:

Weather to ignore the attribute's value (everything before the @ sign for scoped attributes)

Property:

role.[affiliation-attribute]

Example Value:

Code Block
role.faculty = Faculty, Member \
 role.staff = Staff, Member \
 role.student = Students, Member

Informational Note:

Mapping of affiliation values to DSpace groups. ( See the role"Role-based mapping Groups" section above )for more info.

LDAP Authentication

Enabling LDAP Authentication

...