Shibboleth and other auth modules

From VoIPmonitor.org
Jump to navigation Jump to search

Prerequisites

  • installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
  • installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)

How does it work

When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user.

Configuration

  • enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
  • it still requires some GUI's users for privileges settings
  • One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user

Usage

  • after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
  • after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges
  • if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
  • login is done

Logout

  • the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
  • if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER

Disable Login window

  • you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely

User's language setting

  • if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user

Usage with custom login script

  • it's working
  • the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in WEB_API#Custom_Login
  • Note: the GUI's internal users have precedence before custom login users