Revision b8603e8a docs/admin-guide.rst
b/docs/admin-guide.rst | ||
---|---|---|
89 | 89 |
Shib-EP-Affiliation |
90 | 90 |
Shib-Session-ID |
91 | 91 |
|
92 |
Astakos keeps a map of shibboleth users using the value of the ``REMOTE_USER`` |
|
93 |
header, passed by the ``mod_shib2`` module. This happens in order to be able to |
|
94 |
identify the astakos account the shibboleth user is associated to, every time |
|
95 |
the user logs in from an affiliate shibboleth IdP. |
|
96 |
|
|
97 |
The shibboleth attribute which gets mapped to the ``REMOTE_USER`` header can be |
|
98 |
changed in ``/etc/shibboleth/shibboleth2.xml`` configuration file. |
|
99 |
|
|
100 |
.. code-block:: xml |
|
101 |
|
|
102 |
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
|
103 |
<ApplicationDefaults entityID="https://sp.example.org/shibboleth" |
|
104 |
REMOTE_USER="eppn persistent-id targeted-id"> |
|
105 |
|
|
106 |
.. warning:: |
|
107 |
|
|
108 |
Changing ``mod_shib2`` ``REMOTE_USER`` to map to different shibboleth |
|
109 |
attributes will probably invalidate any existing shibboleth enabled users in |
|
110 |
astakos database. Those users won't be able to login to their existing accounts. |
|
111 |
|
|
112 |
|
|
92 | 113 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES`` list. The variable resides |
93 | 114 |
inside the file ``/etc/synnefo/20-snf-astakos-app-settings.conf`` |
94 | 115 |
|
Also available in: Unified diff