Page History
...
Code Block |
---|
#### SAMPLE MOD_SHIB CONFIGURATION FOR APACHE2 (it may require local modifications based on your Apache setup) #### # While this sample VirtualHost is for HTTPS requests (recommended for Shibboleth, obviously), # you may also need/want to create one for HTTP (*:80) <VirtualHost *:443> ... # PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel, SSLCertificateFile, etc) # which you may need/want to add to your VirtualHost # As long as Shibboleth module is installed, enable all Shibboleth/mod_shib related settings <IfModule mod_shib> # Shibboleth recommends turning on UseCanonicalName # See "Prepping Apache" in https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig UseCanonicalName On # Most DSpace instances will want to use Shibboleth "Lazy Session", which ensures that users # can access DSpace without first authenticating via Shibboleth. # This section turns on Shibboleth "Lazy Session". Also ensures that once they have authenticated # (by accessing /Shibboleth.sso/Login path), then their Shib session is kept alive <Location /> AuthType shibboleth ShibRequireSession Off require shibboleth # If your "shibboleth2.xml" file specifies an <ApplicationOverride> setting for your # DSpace Service Provider, then you may need to tell Apache which "id" to redirect Shib requests to. # Just uncomment this and change the value "my-dspace-id" to the associated @id attribute value. #ShibRequestSetting applicationId my-dspace-id </Location> # If a user attempts to access the DSpace shibboleth login page, force them to authenticate via Shib <Location "/shibboleth-login"> AuthType shibboleth ShibRequireSession On # Please note that setting ShibUseHeaders to "On" is a potential security risk. # You may wish to set it to "Off". See the mod_shib docs for details about this setting: # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions # Here's a good guide to configuring Apache + Tomcat when this setting is "Off": # https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications ShibUseHeaders On require valid-user </Location> # Ensure /Shibboleth.sso path (in Apache) can be accessed # By default it may be inaccessible if your Apache security is tight. <Location "/Shibboleth.sso"> Order deny,allow Allow from all # Also ensure Shibboleth/mod_shib responds to this path SetHandler shib </Location> # Finally, you may need to ensure requests to /Shibboleth.sso are NOT redirected # to Tomcat (as they need to be handled by mod_shib instead). # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO REDIRECT # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8009/) # ProxyPass /Shibboleth.sso ! </IfModule> ... </VirtualHost> |
Sample shibboleth2.xml Configuration
In addition, here's a sample "ApplicationOverride" configuration for "shibboleth2.xml". This particular "ApplicationOverride" is configured to use the Test IdP provided by http://www.testshib.org/ and is just meant as an example. In order to enable it for testing purposes, you must specify ShibRequestSetting applicationId testshib
in your Apach mod_shib
configuration (see above).
Code Block |
---|
<!-- *** Sample Shibboleth Settings for http://www.testshib.org/ *** -->
<!-- This provides a simple sample of how you could configure -->
<!-- shibboleth2.xml for DSpace sites. -->
<!-- TO ENABLE: You'd need to specify "applicationId" as "testshib" in -->
<!-- your mod_shib settings, e.g. -->
<!-- <Location /> -->
<!-- ... -->
<!-- ShibRequestSetting applicationId testshib -->
<!-- </Location> -->
<ApplicationOverride id="testshib" entityID="http://mydspace.edu/shibboleth" REMOTE_USER="principal-id">
<!-- We'll use a TEST IdP, hosted by the awesome http://www.testshib.org/ testing service. -->
<!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true">
<SSO entityID="https://idp.testshib.org/idp/shibboleth">
SAML2 SAML1
</SSO>
</Sessions>
<!-- Loads and trusts a metadata file that describes the IdP and how to communicate with it. -->
<!-- By default, metadata is retrieved from the TEST IdP at http://www.testshib.org -->
<!-- and is cached in a local file named "testshib-idp-metadata.xml". -->
<!-- See also: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider -->
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
backingFilePath="testshib-idp-metadata.xml" reloadInterval="180000"/>
</ApplicationOverride> |
DSpace Shibboleth Configuration Options
...
Overview
Content Tools