Hyrax - Hyrax + Shibboleth: Difference between revisions
Line 38: | Line 38: | ||
</source> | </source> | ||
The first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second <code>Location</code> element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user. | The first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second <code>Location</code> element asserts (via the <code>require</code> attribute) that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a <code>valid-user</code>, and because the <code>AuthType</code> is set to shibboleth then that user must therefore be a valid Shibboleth user. | ||
For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.] | For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.] |
Revision as of 22:32, 24 October 2014
Overview
This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.
Install and Configure Shibboleth
The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.
Follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.
The Shibboleth instructions should have had you add something like this:
<Location /opendap>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
to httpd.conf. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple Location
elements with different require
attributes. For example:
<Location /opendap>
AuthType shibboleth
ShibCompatWith24 On
require shibboleth
</Location>
<Location /opendap/AVHRR>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require valid-user
</Location>
</apache>
The first Location
establishes Shibboleth as the authentication tool for the entire /opendap application path , but does not require a user to be logged in order to access the path. The second Location
element asserts (via the require
attribute) that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid-user
, and because the AuthType
is set to shibboleth then that user must therefore be a valid Shibboleth user.
For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.