versuch.net

Integrating Shibboleth login with Mediawiki Installation This extension will not create a new user if the user is not exist, the mediawiki user must be created first before they can login using shibboleth, if the user is not exist, the mediawiki will report an error after the user authenticated with shibboleth. Create file ShibAuthPlugin.php in mediawiki extensions directory, and put the code like in  this  link. Create file wiki_login.php in mediawiki root directory, and put the code like in  this  link, and add  header("Location: /Shibboleth.sso/Logout");  so the code looks like the following: if(isset($_REQUEST['logout'])) { $obj_user = new User(); $obj_user->logout(); header("Location: /Shibboleth.sso/Logout"); } For mediawiki lower than 1.13 version change in both files this directive: specials/ SpecialUserlogin.php to SpecialUserlogin.php and in file ShibAuthPlugin.php change this line: ShibUserLoadFromSession($user, true ); t...

Integrating Shibboleth login with Moodle Installation In Moodle, Shibboleth plugin is already installed. We only need to activate the plugin. To use this plugin, the authentication method of the existing users must be changed to shibboleth, if not, they won't be able to login using shibboleth. This can be done by modify the value directly via database for all existing user. Thus, we must disable the login using another authentication method such as LDAP because moodle can not check the user using another autentication method after fail to login using shibboleth. This plugin will import a new user from Shibboleth when user not exist in the moodle database. Configuration Go to Settings -> Site Administration -> Plugins -> Authentication -> Manage Authentication. Click on the eye icon to activate it. To make Shibboleth the only way to login, set the value of Alternate login URL to http://DOMAIN_NAME/auth/shibboleth/index.php To make Shibboleth an alternat...

Integrating Shibboleth login with Typo3 Extension installation Go to extension manager and install Shibboleth Authentication (shibboleth_auth) extension. The extension is not automatically loaded, you must set the extension configuration first. For frontend login, this extension can automatically import user information from Shibboleth IdP but not for backend login. This extension will not propagate to another authentication mechanism (eg. LDAP or typo3 login) if the user is not found in the Shibboleth IdP but can be enabled with other authentication mechanism as long as in different function (eg. Shibboleth handles the frontend login and LDAP handles the backend login) In this example, we only configure Shibboleth for frontend login. Extension configuration Open the extension configuration and check Frontend and Auto Import to enable frontend login and import user information from Shibboleth. In the Others section: Define the storage Pid. This value is based on th...

SP Installation In debian 6, Installation of Shibboleth SP can be done using these steps: apt-get update apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas Enable Shibboleth SP module: a2enmod shib2 and restart apache. SP Configuration Apache module Add the following entry in to file /etc/apache2/mods-enabled/shib2.conf ShibConfig /etc/shibboleth/shibboleth2.xml # Used for example logo and style sheet in error templates. <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg </IfModule> <Files *.sso> SetHandler shib-handler </Files>

LDAPS Connection To be able to connect to LDAPS, the shibboleth must already has the LDAP SSL certificate. To do so, get the LDAP SSL certificate from the administrator or export it from another server which already have the certificate. To export: keytool -export -keystore /etc/java-1.5.0-sun/security/cacerts -alias ldap -file ldap.cer To import into the new Shibboleth IdP, we must import in to the current java keystore file: keytool -import -trustcacerts -alias "ldap" -file ldap.cer -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts login.config Edit IDP_HOME/conf/login.config edu.vt.middleware.ldap.jaas.LdapLoginModule required host="ldap.example.com" port="636" ssl="true" base="ou=users,o=myorg" serviceCredential="PASSWORD" serviceUser="cn=ldap_proxy,ou=misc,o=myorg" subtreeSearch=true userField="cn"

To create kerberos principal for existing eDirectory user, we need to export the user data from ldap using the tool from http://ldapwiki.willeke.com/wiki/DumpEdirectoryPasswordInformationTool . This tool should be executed using ldap user which has permission to see universal password. Example: java -jar DumpPasswordInformation.jar -h ldap.company.com -Z SSL -p 636 -D cn=admin,o=novell -w adminpassword -dvAL -b "ou=people,o=novell" The tool will create output in the file dumppasswordinformation.ldif. The following script will read from above ldif file and map the existing user with the kerberos principal. This script uses keytab from admin/admin kerberos principal with filename admin.keytab

Server requirement: Novell eDirectory + LDAP. Kerberos Server. Shibboleth IDP with Kerberos Auth Plugin. Client requirement: Kerberos Client. Novell Client. Mozilla Firefox. (Tested browser) Tested Structure: SSO Structure