Shibboleth and other auth modules
Prerequisites
- installed functional Shibboleth module in Apache2 (or SW with similar functionality). The installation is beyond the scope of this document.
- installed any other auth module which knows to send username via REMOTE_USER server variable (e.g. mod_auth_openidc or mod_auth_mellon)
How does it work
When enabled in the GUI settings then the GUI search for the REMOTE_USER header (provided by Shibboleth sp) and uses it as auth user.
Configuration
- enable it with GUI->Settings->System configuration : Use Shibboleth/REMOTE_USER for auth
- it still requires some GUI's users for privileges settings
- One user can be setup as default user for Shibboleth. See 'Default Shibboleth/REMOTE_USER account' checkbox in GUI->Users & Audit->Users -> selected user
Usage
- after the Shibboleth/REMOTE_USER auth the GUI's Shibboleth/REMOTE_USER button will appear in GUI login dialog
- after clicking on this button the content of REMOTE_USER header is used as the user in the GUI database for getting user's privileges
- if an user is not found then the user with set checkbox 'Default Shibboleth/REMOTE_USER account' is used (if set)
- login is done
Logout
- the Shibboleth logout URL is constructed from Shib-Handler header + '/Logout' string. If not available then from HTTP_HOST header + '/Shibboleth.sso/Logout' string.
- if you want to use custom Logout URL then set it in GUI->Settings->System configuration : Logout URL for Shibboleth/REMOTE_USER
Disable Login window
- you can disable the login window completely with GUI->Settings->System configuration : Disable login window completely
Usage with custom login script
- it's working
- the REMOTE_USER variable is passed to the custom login script. And your script must return structure as described in WEB_API#Custom_Login
- Note: the GUI's internal users have precedence before custom login users