Shibboleth and other auth modules: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 6: Line 6:
== How does it work ==
== How does it work ==


When enabled in the GUI settings then the GUI search for the REMOTE_USER header (provided by Shibboleth sp) and uses it as auth user.
When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user.


== Configuration ==
== Configuration ==
Line 17: Line 17:


* after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
* after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
* after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges
* after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges
* if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
* if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
* login is done
* login is done
Line 29: Line 29:


* you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
* you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
== User's language setting ==
* if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user
== Usage with custom login script ==
* it's working
* the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in [[WEB_API#Custom_Login]]
* Note: the GUI's internal users have precedence before custom login users

Latest revision as of 08:11, 15 June 2024

Prerequisites

  • installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
  • installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)

How does it work

When enabled in the GUI settings then the GUI search for the REMOTE_USER server variable (provided by Shibboleth sp) and uses it as auth user.

Configuration

  • enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
  • it still requires some GUI's users for privileges settings
  • One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user

Usage

  • after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
  • after clicking on this button the content of REMOTE_USER server variable is used as the user in the GUI database for getting user's privileges
  • if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
  • login is done

Logout

  • the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
  • if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER

Disable Login window

  • you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely

User's language setting

  • if the login window is disabled then you can set the per user's language in GUI->Users & Audit->Users -> selected user

Usage with custom login script

  • it's working
  • the REMOTE_USER variable is passed to the custom login script. And your script must return the structure as described in WEB_API#Custom_Login
  • Note: the GUI's internal users have precedence before custom login users