Dear Lanxin,
In data martedì, 13 dicembre 2011 08.12:34, Lanxin Ma ha scritto:
> I have just setup an Invenio 1.0.0-rc0 server in IHEP, Beijing.
> Now, we are trying to integrate my Invenio server with a web single sign-on
> system named Shibboleth to authenticate users. I have set up a SP and an
> IDP against LDAP . It seems that CERN has aleary integrated Invenio with a
> single sign-on system ( Shibboleth ?). How do you integrate them? Does any
> body have experince on this ?
indeed Invenio support out of the box Shibboleth, although its integration has
been carried out based on the specific CERN configuration. I am not sure how
this can be applied to other Shibboleth configurations.
That said in order to profit from it you should carefully set certain config
variables and other bits. Namely:
* update the file access_control_config.py. You will see that there is a
section like the following:
[...]
if CFG_CERN_SITE:
import external_authentication_sso as ea_sso
CFG_EXTERNAL_AUTH_USING_SSO = "CERN"
CFG_EXTERNAL_AUTH_DEFAULT = CFG_EXTERNAL_AUTH_USING_SSO
CFG_EXTERNAL_AUTH_LOGOUT_SSO =
'https://login.cern.ch/adfs/ls/?wa=wsignout1.0'
CFG_EXTERNAL_AUTHENTICATION = {
CFG_EXTERNAL_AUTH_USING_SSO : ea_sso.ExternalAuthSSO(),
}
[...]
These parameter should be set in a similar way for your installation. I.e. set
in the very same file (maybe after the chain of if-elif-else, so that you are
sure your variables are considered)
[...]
CFG_EXTERNAL_AUTH_USING_SSO = "IHEP" # put whatever name makes sense to you
CFG_EXTERNAL_AUTH_DEFAULT = CFG_EXTERNAL_AUTH_USING_SSO
CFG_EXTERNAL_AUTH_LOGOUT_SSO = "logut.example.org" # This should be a central
URL that the user would be redirected to when logging out. At CERN this URL is
https://login.cern.ch/adfs/ls/?wa=wsignout1.0. When this URL is visited by a
user, the HTML within it, will load one icon per web-application using SSO,
(e.g. for us it will load by default the icon from the path: /shibboleth-
sp/wsignout.gif.
CFG_EXTERNAL_AUTHENTICATION = {
CFG_EXTERNAL_AUTH_USING_SSO : ea_sso.ExternalAuthSSO(),
}
[...]
The actual authentication happens in the module
external_authentication_sso.py.
In particular you might wish to customize it and change the different
hardcoded CFG_ variables, namely:
CFG_EXTERNAL_AUTH_HIDDEN_SETTINGS to declare as hidden (to the user) certain
settings),
CFG_EXTERNAL_AUTH_HIDDEN_GROUPS in case you have something similar to our e-
groups, and you want to filter out some unneeded e-groups
And mainly:
CFG_EXTERNAL_AUTH_SSO_PREFIX_NAME, CFG_EXTERNAL_AUTH_SSO_GROUP_VARIABLE,
CFG_EXTERNAL_AUTH_SSO_LOGIN_VARIABLE, CFG_EXTERNAL_AUTH_SSO_EMAIL_VARIABLE,
CFG_EXTERNAL_AUTH_SSO_GROUP_VARIABLE, CFG_EXTERNAL_AUTH_SSO_GROUPS_SEPARATOR
to tune the parsing of variable (provided by Shibboleth based on the:
/etc/shibboleth/ADFS-metadata.xml
if you are using Shibboleth 2.x
Note as well that you have to adapt the Apache configuration generated by
inveniocfg by adding in the ssl configuration:
[...]
### Shibboleth SSO ###
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Allow from all
</Location>
Redirect /shibboleth-sp/wsignout.gif
https://yourinstallation.cern.ch/logout_SSO_hook
</IfModule>
######################
[...]
<Directory /opt/invenio/var/www>
### Shibboleth SSO ###
SSLRequireSSL # The modules only work using HTTPS
AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
ShibExportAssertion Off
Require valid-user
######################
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Basically this is it I think.
You can also find some more information (although related to our specific
configuration at CERN with SLC5 and Shibboleth 1.3) here:
<https://twiki.cern.ch/twiki/bin/view/CDS/InvenioShibbolethSSO>
Note that in the current GIT master branch (i.e. what will be available in the
next release), the recommended Apache configuration is slightly different, but
inveniocfg --create-apache-conf will help you creating it.
Best regards,
Samuele
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
