Hyrax - Hyrax + Shibboleth: Difference between revisions

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
Line 7: Line 7:
== Install and Configure  Shibboleth ==
== Install and Configure  Shibboleth ==


The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.  
The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat. This is primarily an Apache ''httpd'' activity.
 
Basically you need to [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall follow the instructions for a Native Java Install] and remember - Hyrax does not use either Spring or Grails.
 
 
== Installation ==
Start with the  [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Native Java SP Installation]:
* https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
While this is really the last page you need to process, as it will send you off to do a platform dependent Shibboleth Native Service Provider for Apache installation which needs to be completed, working, and configured before you'll return to the  [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Native Java SP Installation] to enable the part where Tomcat and ''mod_shib'' pass authenticated user information into Tomcat.
 
The document path on the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Natvie Java Install wiki page] will send you off to do Shibboleth Native Service Provider  installation which is platform dependent:
* https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
** Install a ''Native Service Provider'' on your target system. (If you need to run the IdP then there's probably not much here for you)
**  In the initial testing section for Linux they suggest accessing the Status page https://localhost/Shibboleth.sso/Status, but you may have to use the loopback address to do so: https://127.0.0.1/Shibboleth.sso/Status
 
 
Return to the  [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Native Java SP Installation] and complete the instructions there.
 
 
== Configuration ==
Once the installation is completed (And assuming you installed a ''Native Service Provider'' - if you didn't then the rest of this isn't about what you're doing, sorry) got to the Native SP Configuration page:
* https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
Read that page and then follow the link to the instruction for Apache:
* https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
Follow those instructions.
* Do not be confused by the section [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-MakingURLsUsedbymod_shibGetProperlyRouted Making URLs Used by mod_shib Get Properly Routed] while you must add this ''Location'' directive to "reveal" the shibboleth module to the world don't think the URL https://yourhost/Shibboleth.sso is a valid access point to the module. That URL m,ay always return a Shibboleth error page even if ''mod_shib'' and ''shibd'' are configured and working correctly.
* Read and understand the section [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-EnablingtheModuleforAuthentication  Enabling the Module for Authentication]


[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Follow the instructions for a Native Java Install] and remember - Hyrax does not use either Spring or Grails.


The Shibboleth instructions should have had you add something like this:
The Shibboleth instructions should have had you add something like this:
Line 21: Line 46:
</source>
</source>


to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple <code>Location</code> elements with different <code>require</code> attributes. For example:
to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax which may be exactly what you want. If you want more fine grained control you may want use multiple <code>Location</code> elements with different <code>require</code> attributes. For example:
   
   
<source lang="apache">
<source lang="apache">
Line 38: Line 63:
</source>
</source>


The first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second <code>Location</code> element asserts (via the <code>require</code> attribute) that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a <code>valid-user</code>, and because the <code>AuthType</code> is set to <code>shibboleth</code> then that user must be a valid Shibboleth user.
In the follow example the first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path, and enables the Shibboleth module over the entire Hyrax Server. 
* Since there is no <code>ShibRequestSetting requireSession 1</code> line it does not require a user to be logged in order to access the path.  
* The <code>require shibboleth</code> command activates mod_shib for all of Hyrax.
 
The second <code>Location</code> states that only valid-users may have access "/opendap/AVHRR" URL path.
* The <code>require valid-user</code> command  requires user authentication.
* The <code>AuthType</code> command is set to <code>shibboleth</code> so ''mod_shib'' will be called upon to perform the authentication.


For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.]
For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.]
Line 55: Line 86:
</source>
</source>


to ''httpd.conf'', which places Apache in full control of the authentication process. Hyrax Managed Access needs to have some of that control. In the follow example the first ''Location'' establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second ''Location'' element establishes an endpoint for Hyrax Managed Access to initiate Shibboleth authentication for the user, this example shows the value of the Location element set to the default login context for the opendap.auth.ShibbolethIdP class. If a custom login context is specified in the Hyrax configuration the the values of this second ''Location'' must be changed to reflect the Hyrax configuration.
to ''httpd.conf'', which places Apache in full control of the authentication process.  
 
Hyrax Managed Access needs to have some of that control.  
 
In the follow example the first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path, and enables the Shibboleth module over the entire Hyrax Server. 
* Since there is no <code>ShibRequestSetting requireSession 1</code> line it does not require a user to be logged in order to access the path.  
* The <code>require shibboleth</code> command activates mod_shib for all of Hyrax - and that means that user information will be available from mod_shib through Tomcat to Hyrax over the entire Hyrax service.
 
The second <code>Location</code> element establishes an endpoint for Hyrax Managed Access to initiate Shibboleth authentication for the user, this example shows the value of the Location element set to the default login context for the opendap.auth.ShibbolethIdP class. If a custom login context is specified in the Hyrax configuration the the values of this second ''Location'' must be changed to reflect the Hyrax configuration.


   
   
Line 73: Line 112:
</source>
</source>


<nowiki>**</nowiki> At least I think you can do it with an IdP, I have only investigated the SP path.


-->
-->

Revision as of 13:04, 26 October 2014


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.

Install and Configure Shibboleth

The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat. This is primarily an Apache httpd activity.

Basically you need to follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.


Installation

Start with the Native Java SP Installation:

While this is really the last page you need to process, as it will send you off to do a platform dependent Shibboleth Native Service Provider for Apache installation which needs to be completed, working, and configured before you'll return to the Native Java SP Installation to enable the part where Tomcat and mod_shib pass authenticated user information into Tomcat.

The document path on the Natvie Java Install wiki page will send you off to do Shibboleth Native Service Provider installation which is platform dependent:


Return to the Native Java SP Installation and complete the instructions there.


Configuration

Once the installation is completed (And assuming you installed a Native Service Provider - if you didn't then the rest of this isn't about what you're doing, sorry) got to the Native SP Configuration page:

Read that page and then follow the link to the instruction for Apache:

Follow those instructions.


The Shibboleth instructions should have had you add something like this: 

<Location /opendap>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

to httpd.conf. This will require users to authenticate to access any part of Hyrax which may be exactly what you want. If you want more fine grained control you may want use multiple Location elements with different require attributes. For example: 

<Location /opendap>
  AuthType shibboleth
  ShibCompatWith24 On
  require shibboleth
</Location>
<Location /opendap/AVHRR>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</apache>

In the follow example the first Location establishes Shibboleth as the authentication tool for the entire /opendap application path, and enables the Shibboleth module over the entire Hyrax Server.

  • Since there is no ShibRequestSetting requireSession 1 line it does not require a user to be logged in order to access the path.
  • The require shibboleth command activates mod_shib for all of Hyrax.

The second Location states that only valid-users may have access "/opendap/AVHRR" URL path.

  • The require valid-user command requires user authentication.
  • The AuthType command is set to shibboleth so mod_shib will be called upon to perform the authentication.

For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.


Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_Hyrax_%2B_Shibboleth&oldid=10900"