Hi Lanxin, yes, the sp part should be installed on the same server of Invenio by using Apache mod_shib (enabled as described in the previous email).
In Shibboleth what happens usually is that the user wishing to authenticated is visiting a URL of your service under the control of shibboleth via mod_shib. If this is the first time it authenticates to the Idp, he will be redirected to the central login, will authenticated, receiving a big cookie which contains a signed ticket containing (if I am not mistaken), all the credentials and detail of the user. When the user is redirected back to the URL under the control of shibolleth and Invenio, mod_shib will load all the user details on the environment variables of the Apache process that external_authentication_sso will be able to consume. (In practice it is slightly more complex than this, but that's basically what happen behind the scenes). Unfortunately I cannot tell you much more, as in my case I was responsible to deploy only the Sp part for Invenio at CERN, (the Idp was already configured), and I basically followed already existing information specific to the CERN configuration on SLC5. See also here: <http://linux.web.cern.ch/linux/scientific5/docs/shibboleth.shtml> Again this is very CERN specific, so you have to see what differ in the configuration of your local Idp. Good luck! Samuele -- Samuele Kaplun Invenio Developer ** <http://invenio-software.org/> ________________________________________ Inizio: Lanxin Ma Inviato: giovedì 15 dicembre 2011 10.28 Fine: Samuele Kaplun Cc: project-invenio-general (Invenio users); project-invenio-devel (Invenio developers mailing-list) Oggetto: RE: integrate Invenio with a single sign-on system Dear Samuele, Thank you for your detail explanation. I am quite new on this. I read your mail and twiki page, I do not understand quickly and correctly. So, I have the follwoing questions. Should I install Shibboleth SP and Invenio at the same host? I mean whether we should run Shibboleth SP deamon and run Invenio at the same host? How & where does the actual authentication module external_authentication_sso.py gets username, password,group... ? from SSO cookie? from database? Thank you !! Best regards, Lanxin ________________________________________ From: Samuele Kaplun Sent: 13 December 2011 15:04 To: Lanxin Ma Cc: project-invenio-general (Invenio users); project-invenio-devel (Invenio developers mailing-list) Subject: Re: integrate Invenio with a single sign-on system Dear Lanxin, In data martedì, 13 dicembre 2011 08.12:34, Lanxin Ma ha scritto: > I have just setup an Invenio 1.0.0-rc0 server in IHEP, Beijing. > Now, we are trying to integrate my Invenio server with a web single sign-on > system named Shibboleth to authenticate users. I have set up a SP and an > IDP against LDAP . It seems that CERN has aleary integrated Invenio with a > single sign-on system ( Shibboleth ?). How do you integrate them? Does any > body have experince on this ? indeed Invenio support out of the box Shibboleth, although its integration has been carried out based on the specific CERN configuration. I am not sure how this can be applied to other Shibboleth configurations. That said in order to profit from it you should carefully set certain config variables and other bits. Namely: * update the file access_control_config.py. You will see that there is a section like the following: [...] if CFG_CERN_SITE: import external_authentication_sso as ea_sso CFG_EXTERNAL_AUTH_USING_SSO = "CERN" CFG_EXTERNAL_AUTH_DEFAULT = CFG_EXTERNAL_AUTH_USING_SSO CFG_EXTERNAL_AUTH_LOGOUT_SSO = 'https://login.cern.ch/adfs/ls/?wa=wsignout1.0' CFG_EXTERNAL_AUTHENTICATION = { CFG_EXTERNAL_AUTH_USING_SSO : ea_sso.ExternalAuthSSO(), } [...] These parameter should be set in a similar way for your installation. I.e. set in the very same file (maybe after the chain of if-elif-else, so that you are sure your variables are considered) [...] CFG_EXTERNAL_AUTH_USING_SSO = "IHEP" # put whatever name makes sense to you CFG_EXTERNAL_AUTH_DEFAULT = CFG_EXTERNAL_AUTH_USING_SSO CFG_EXTERNAL_AUTH_LOGOUT_SSO = "logut.example.org" # This should be a central URL that the user would be redirected to when logging out. At CERN this URL is https://login.cern.ch/adfs/ls/?wa=wsignout1.0. When this URL is visited by a user, the HTML within it, will load one icon per web-application using SSO, (e.g. for us it will load by default the icon from the path: /shibboleth- sp/wsignout.gif. CFG_EXTERNAL_AUTHENTICATION = { CFG_EXTERNAL_AUTH_USING_SSO : ea_sso.ExternalAuthSSO(), } [...] The actual authentication happens in the module external_authentication_sso.py. In particular you might wish to customize it and change the different hardcoded CFG_ variables, namely: CFG_EXTERNAL_AUTH_HIDDEN_SETTINGS to declare as hidden (to the user) certain settings), CFG_EXTERNAL_AUTH_HIDDEN_GROUPS in case you have something similar to our e- groups, and you want to filter out some unneeded e-groups And mainly: CFG_EXTERNAL_AUTH_SSO_PREFIX_NAME, CFG_EXTERNAL_AUTH_SSO_GROUP_VARIABLE, CFG_EXTERNAL_AUTH_SSO_LOGIN_VARIABLE, CFG_EXTERNAL_AUTH_SSO_EMAIL_VARIABLE, CFG_EXTERNAL_AUTH_SSO_GROUP_VARIABLE, CFG_EXTERNAL_AUTH_SSO_GROUPS_SEPARATOR to tune the parsing of variable (provided by Shibboleth based on the: /etc/shibboleth/ADFS-metadata.xml if you are using Shibboleth 2.x Note as well that you have to adapt the Apache configuration generated by inveniocfg by adding in the ssl configuration: [...] ### Shibboleth SSO ### <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Redirect /shibboleth-sp/wsignout.gif https://yourinstallation.cern.ch/logout_SSO_hook </IfModule> ###################### [...] <Directory /opt/invenio/var/www> ### Shibboleth SSO ### SSLRequireSSL # The modules only work using HTTPS AuthType shibboleth ShibRequireSession On ShibRequireAll On ShibExportAssertion Off Require valid-user ###################### Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> Basically this is it I think. You can also find some more information (although related to our specific configuration at CERN with SLC5 and Shibboleth 1.3) here: <https://twiki.cern.ch/twiki/bin/view/CDS/InvenioShibbolethSSO> Note that in the current GIT master branch (i.e. what will be available in the next release), the recommended Apache configuration is slightly different, but inveniocfg --create-apache-conf will help you creating it. Best regards, Samuele -- Samuele Kaplun Invenio Developer ** <http://invenio-software.org/>
