Revision b8603e8a docs/admin-guide.rst
| b/docs/admin-guide.rst | ||
|---|---|---|
| 89 | 89 |
Shib-EP-Affiliation |
| 90 | 90 |
Shib-Session-ID |
| 91 | 91 |
|
| 92 |
Astakos keeps a map of shibboleth users using the value of the ``REMOTE_USER`` |
|
| 93 |
header, passed by the ``mod_shib2`` module. This happens in order to be able to |
|
| 94 |
identify the astakos account the shibboleth user is associated to, every time |
|
| 95 |
the user logs in from an affiliate shibboleth IdP. |
|
| 96 |
|
|
| 97 |
The shibboleth attribute which gets mapped to the ``REMOTE_USER`` header can be |
|
| 98 |
changed in ``/etc/shibboleth/shibboleth2.xml`` configuration file. |
|
| 99 |
|
|
| 100 |
.. code-block:: xml |
|
| 101 |
|
|
| 102 |
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> |
|
| 103 |
<ApplicationDefaults entityID="https://sp.example.org/shibboleth" |
|
| 104 |
REMOTE_USER="eppn persistent-id targeted-id"> |
|
| 105 |
|
|
| 106 |
.. warning:: |
|
| 107 |
|
|
| 108 |
Changing ``mod_shib2`` ``REMOTE_USER`` to map to different shibboleth |
|
| 109 |
attributes will probably invalidate any existing shibboleth enabled users in |
|
| 110 |
astakos database. Those users won't be able to login to their existing accounts. |
|
| 111 |
|
|
| 112 |
|
|
| 92 | 113 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES`` list. The variable resides |
| 93 | 114 |
inside the file ``/etc/synnefo/20-snf-astakos-app-settings.conf`` |
| 94 | 115 |
|
Also available in: Unified diff