Page History
...
For more information on installing and configuring a Shibboleth Service Provider see: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
- Please note that "ShibUseHeaders" must be set to "On", as DSpace currently receives authentication information through HTTP headers.
Note about Shibboleth Active vs Lazy Sessions:
...
- The "ShibUseHeaders" must be set to "On", as DSpace currently receives authentication information through HTTP headers.
- When initially setting up Apache & mod_shib, we recommend https://www.testshib.org/ as provides a great testing ground for your configurations. This site provides a sample/demo Shibboleth IdP (as well as a sample Shibboleth SP) which you can test against. This It acts as a great "sandbox" to get your configurations working properly, before you point DSpace at your production Shibboleth IdP.
...
Code Block |
---|
# While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), you may also need to create one for HTTP (*:80) <VirtualHost *:443> ... # PLEASE NOTE: We have omitted many settings (ServerName, LogLevel, SSLCertificateFile, etc) # which you may need/want to add to your VirtualHost # As long as Shibboleth module is installed, Enable all Shibboleth related settings <IfModule mod_shib> # Shibboleth recommends turning on UseCanonicalName # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig UseCanonicalName On # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users # can access DSpace content without first authenticating via Shib. # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive <Location /> AuthType shibboleth ShibRequireSession Off require shibboleth # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your DSpace, # then you may need to tell Apache which "id" to redirect Shib requests to. # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value. #ShibRequestSetting applicationId my-dspace-id </Location> # If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib <Location "/shibboleth-login"> AuthType shibboleth ShibRequireSession On # DSpace requires using Shibboleth Headers. So this MUST be "On" ShibUseHeaders On require valid-user </Location> # Ensure /Shibboleth.sso path (in Apache) can be accessed # By default it may be inaccessible if your Apache security is tight. <Location "/Shibboleth.sso"> Order deny,allow Allow from all # Also ensure Shibboleth/mod_shib responds to this path SetHandler shib </Location> # Finally, optionally ensure that requests to /Shibboleth.sso are NOT redirected # to Tomcat (as they will be handled by mod_shib instead). # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING PROXYPASS TO REDIRECT # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8080/) # ProxyPass /Shibboleth.sso ! </IfModule> ... </VirtualHost> |
...
Overview
Content Tools