Revision d189d11c
b/docs/admin-guide.rst | ||
---|---|---|
241 | 241 |
may actually be stored in a longer-term logfile |
242 | 242 |
|
243 | 243 |
|
244 |
.. _shibboleth-auth: |
|
245 |
|
|
246 |
Authentication using Shibboleth |
|
247 |
=============================== |
|
248 |
|
|
249 |
Astakos can delegate user authentication to a Shibboleth federation. |
|
250 |
|
|
251 |
To setup shibboleth, install package:: |
|
252 |
|
|
253 |
apt-get install libapache2-mod-shib2 |
|
254 |
|
|
255 |
Change appropriately the configuration files in ``/etc/shibboleth``. |
|
256 |
|
|
257 |
Add in ``/etc/apache2/sites-available/synnefo-ssl``:: |
|
258 |
|
|
259 |
ShibConfig /etc/shibboleth/shibboleth2.xml |
|
260 |
Alias /shibboleth-sp /usr/share/shibboleth |
|
261 |
|
|
262 |
<Location /im/login/shibboleth> |
|
263 |
AuthType shibboleth |
|
264 |
ShibRequireSession On |
|
265 |
ShibUseHeaders On |
|
266 |
require valid-user |
|
267 |
</Location> |
|
268 |
|
|
269 |
and before the line containing:: |
|
270 |
|
|
271 |
ProxyPass / http://localhost:8080/ retry=0 |
|
272 |
|
|
273 |
add:: |
|
274 |
|
|
275 |
ProxyPass /Shibboleth.sso ! |
|
276 |
|
|
277 |
Then, enable the shibboleth module:: |
|
278 |
|
|
279 |
a2enmod shib2 |
|
280 |
|
|
281 |
After passing through the apache module, the following tokens should be |
|
282 |
available at the destination:: |
|
283 |
|
|
284 |
eppn # eduPersonPrincipalName |
|
285 |
Shib-InetOrgPerson-givenName |
|
286 |
Shib-Person-surname |
|
287 |
Shib-Person-commonName |
|
288 |
Shib-InetOrgPerson-displayName |
|
289 |
Shib-EP-Affiliation |
|
290 |
Shib-Session-ID |
|
291 |
|
|
292 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES`` list. The variable resides |
|
293 |
inside the file ``/etc/synnefo/20-snf-astakos-app-settings.conf`` |
|
294 |
|
|
295 |
|
|
244 | 296 |
Scaling up to multiple nodes |
245 | 297 |
============================ |
246 | 298 |
|
b/docs/quick-install-admin-guide.rst | ||
---|---|---|
534 | 534 |
For the ``ASTAKOS_RECAPTCHA_PUBLIC_KEY`` and ``ASTAKOS_RECAPTCHA_PRIVATE_KEY`` |
535 | 535 |
go to https://www.google.com/recaptcha/admin/create and create your own pair. |
536 | 536 |
|
537 |
Shibboleth Setup |
|
538 |
---------------- |
|
539 |
Optionally, Astakos can delegate user authentication to a Shibboleth federation. |
|
540 |
|
|
541 |
To setup shibboleth, install package:: |
|
542 |
|
|
543 |
apt-get install libapache2-mod-shib2 |
|
544 |
|
|
545 |
Change appropriately the configuration files in ``/etc/shibboleth``. |
|
546 |
|
|
547 |
Add in ``/etc/apache2/sites-available/synnefo-ssl``:: |
|
548 |
|
|
549 |
ShibConfig /etc/shibboleth/shibboleth2.xml |
|
550 |
Alias /shibboleth-sp /usr/share/shibboleth |
|
551 |
|
|
552 |
<Location /im/login/shibboleth> |
|
553 |
AuthType shibboleth |
|
554 |
ShibRequireSession On |
|
555 |
ShibUseHeaders On |
|
556 |
require valid-user |
|
557 |
</Location> |
|
558 |
|
|
559 |
and before the line containing:: |
|
560 |
|
|
561 |
ProxyPass / http://localhost:8080/ retry=0 |
|
562 |
|
|
563 |
add:: |
|
564 |
|
|
565 |
ProxyPass /Shibboleth.sso ! |
|
566 |
|
|
567 |
Then, enable the shibboleth module:: |
|
568 |
|
|
569 |
a2enmod shib2 |
|
570 |
|
|
571 |
After passing through the apache module, the following tokens should be available at the destination:: |
|
572 |
|
|
573 |
eppn # eduPersonPrincipalName |
|
574 |
Shib-InetOrgPerson-givenName |
|
575 |
Shib-Person-surname |
|
576 |
Shib-Person-commonName |
|
577 |
Shib-InetOrgPerson-displayName |
|
578 |
Shib-EP-Affiliation |
|
579 |
Shib-Session-ID |
|
580 |
|
|
581 |
Finally, add 'shibboleth' in ``ASTAKOS_IM_MODULES``. |
|
537 |
If you are an advanced user and want to use the Shibboleth Authentication method, |
|
538 |
read the relative :ref:`section <shibboleth-auth>`. |
|
582 | 539 |
|
583 | 540 |
Servers Initialization |
584 | 541 |
---------------------- |
Also available in: Unified diff