Hyrax - Hyrax + Shibboleth

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.

Install and Configure Shibboleth

The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.

Follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.

The Shibboleth instructions should have had you add something like this: 

<Location /opendap>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

to httpd.conf. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple Location elements with different require attributes. For example: 

<Location /opendap>
  AuthType shibboleth
  ShibCompatWith24 On
  require shibboleth
</Location>
<Location /opendap/AVHRR>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</apache>

The first Location establishes Shibboleth as the authentication tool for the entire /opendap application path , but does not require a user to be logged in order to access the path. The second Location element asserts (via the require attribute) that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid-user, and because the AuthType is set to shibboleth then that user must be a valid Shibboleth user.

For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.


Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_Hyrax_%2B_Shibboleth&oldid=10897"