Shibboleth: Difference between revisions

From ULYSSIS documentation
(Created page with "Shibboleth is the software powering the Central KU Leuven Login. It's a piece of software used by many universities to supply identification and access management. ULYSSIS w...")
 
No edit summary
Line 23: Line 23:
All of these will be available as HTTP headers. But keep in mind that apache might prefix those with REDIRECT_ multiple times (for example when mod_rewrite is used). For an overview of all attributes you can check out http://shib.kuleuven.be/secure/allAttributes
All of these will be available as HTTP headers. But keep in mind that apache might prefix those with REDIRECT_ multiple times (for example when mod_rewrite is used). For an overview of all attributes you can check out http://shib.kuleuven.be/secure/allAttributes


More general information on the KU Leuvens implementation can be found on http://shib.kuleuven.be/ . But be aware of the fact that some of the documentation is very outdated (some of it is about shib 1.3, while we now use shib 2.x)
More general information on the KU Leuvens implementation can be found on http://shib.kuleuven.be/ . But be aware of the fact that some of the documentation is very outdated (Most notably information about shib 1.3)

Revision as of 03:02, 9 July 2014

Shibboleth is the software powering the Central KU Leuven Login. It's a piece of software used by many universities to supply identification and access management.

ULYSSIS works together with ICTS to supply limited access to Shibboleth. We are however only able to supply Shibboleth to those approved by ICTS. In practice all faculty unions will be granted access if they can prove they have the technical ability to use Shibboleth in a safe and privacy friendly way. For other organisations it can be more difficult to get access, therefore it is best to write an extensive explenation of what you plan to do with Shibboleth, why your organisation requires it, what your organisation does, and other relevant information. We will then contact ICTS with your request.

Deploying Shibboleth

After you have been granted access you can soon start using Shibboleth.

The first step is to add the following lines to your .htaccess

ShibDisable Off
AuthType Shibboleth
require shibboleth
ShibRequireSession off

We disable certain features of Shibboleth here because it will otherwise interfere with any other HTTP-auth options you might be using.

Now that you have added this information to .htaccess you are able to serve requests to Shibboleth.sso, if your request is well-formed the sso will handle communication with the IdP (identity provider) of the KU Leuven. A login link follows the following syntax:

https://[YOUR_HOSTNAME]/Shibboleth.sso/WAYF/kuleuven?target=[URLENCODED_RETURN_URL]

And logout links:

https://[YOUR_HOSTNAME]/Shibboleth.sso/Logout?return=[URLENCODED_DISPLAY_URL]

It is important to note that on logout the user will stay on the KU Leuven's IdP-page and your link will only be displayed. The user will NOT be redirected (even though this is the normale behaviour according to the Shibboleth documentation).

As soon as a user is logged in, his or hers attributes will be available to your application. Attributes are certain properties that an account may have and that supply further information about them. Some examples are: first name, last name, mail, student id. All of these will be available as HTTP headers. But keep in mind that apache might prefix those with REDIRECT_ multiple times (for example when mod_rewrite is used). For an overview of all attributes you can check out http://shib.kuleuven.be/secure/allAttributes

More general information on the KU Leuvens implementation can be found on http://shib.kuleuven.be/ . But be aware of the fact that some of the documentation is very outdated (Most notably information about shib 1.3)