Monday, July 30, 2012

Shibboleth SP part 4 (MediaWiki Configuration)

Integrating Shibboleth login with Mediawiki

Installation

  • This extension will not create a new user if the user is not exist, the mediawiki user must be created first before they can login using shibboleth, if the user is not exist, the mediawiki will report an error after the user authenticated with shibboleth.
  • Create file ShibAuthPlugin.php in mediawiki extensions directory, and put the code like in this link.
  • Create file wiki_login.php in mediawiki root directory, and put the code like in this link, and add header("Location: /Shibboleth.sso/Logout"); so the code looks like the following:
if(isset($_REQUEST['logout']))
{
 $obj_user = new User();
 $obj_user->logout();
 header("Location: /Shibboleth.sso/Logout");
}
  • For mediawiki lower than 1.13 version change in both files this directive:
specials/SpecialUserlogin.php to SpecialUserlogin.php
  • and in file ShibAuthPlugin.php change this line:
ShibUserLoadFromSession($user, true); to ShibUserLoadFromSession($user, $result);

above line is a hack for mediawiki prior 1.13 version, that hack is work but need to refresh the browser after login via shibboleth.

Shibboleth SP part 3 (Moodle & Wordpress Configuration)

Integrating Shibboleth login with Moodle

Installation

  • In Moodle, Shibboleth plugin is already installed. We only need to activate the plugin.
  • To use this plugin, the authentication method of the existing users must be changed to shibboleth, if not, they won't be able to login using shibboleth. This can be done by modify the value directly via database for all existing user. Thus, we must disable the login using another authentication method such as LDAP because moodle can not check the user using another autentication method after fail to login using shibboleth.
  • This plugin will import a new user from Shibboleth when user not exist in the moodle database.

Configuration

  • Go to Settings -> Site Administration -> Plugins -> Authentication -> Manage Authentication.
    • Click on the eye icon to activate it.
    • To make Shibboleth the only way to login, set the value of Alternate login URL to http://DOMAIN_NAME/auth/shibboleth/index.php
    • To make Shibboleth an alternative way to login, put a link to http://DOMAIN_NAME/auth/shibboleth/index.php in the instructions input field
    • Click on the Shibboleth Setting
      • On the data mapping, put the attribute name from Shibboleth SP that we want to use.

Shibboleth SP part 2 (Typo3 Configuration)

Integrating Shibboleth login with Typo3

Extension installation

  • Go to extension manager and install Shibboleth Authentication (shibboleth_auth) extension. The extension is not automatically loaded, you must set the extension configuration first.
  • For frontend login, this extension can automatically import user information from Shibboleth IdP but not for backend login.
  • This extension will not propagate to another authentication mechanism (eg. LDAP or typo3 login) if the user is not found in the Shibboleth IdP but can be enabled with other authentication mechanism as long as in different function (eg. Shibboleth handles the frontend login and LDAP handles the backend login)
  • In this example, we only configure Shibboleth for frontend login.

Extension configuration

  • Open the extension configuration and check Frontend and Auto Import to enable frontend login and import user information from Shibboleth.
In the Others section:
  • Define the storage Pid. This value is based on the folder id where we store the Frontend Users.
  • Define the attribute name from the Shibboleth.

Shibboleth SP part 1 (Installation)

SP Installation

  • In debian 6, Installation of Shibboleth SP can be done using these steps:
apt-get update
apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas
  • Enable Shibboleth SP module:
a2enmod shib2
and restart apache.

SP Configuration

Apache module

  • Add the following entry in to file /etc/apache2/mods-enabled/shib2.conf
ShibConfig /etc/shibboleth/shibboleth2.xml

# Used for example logo and style sheet in error templates.
<IfModule mod_alias.c>

 <Location /shibboleth-sp>
   Allow from all
 </Location>

 Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg

</IfModule>

<Files *.sso>
   SetHandler shib-handler
</Files>

Shibboleth IdP SLO part 3 (Configuration)

LDAPS Connection

  • To be able to connect to LDAPS, the shibboleth must already has the LDAP SSL certificate. To do so, get the LDAP SSL certificate from the administrator or export it from another server which already have the certificate.
To export:
keytool -export -keystore /etc/java-1.5.0-sun/security/cacerts -alias ldap -file ldap.cer
To import into the new Shibboleth IdP, we must import in to the current java keystore file:
keytool -import -trustcacerts -alias "ldap" -file ldap.cer -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts

login.config

  • Edit IDP_HOME/conf/login.config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.example.com"
      port="636"
      ssl="true"
      base="ou=users,o=myorg"
      serviceCredential="PASSWORD"
      serviceUser="cn=ldap_proxy,ou=misc,o=myorg"
      subtreeSearch=true
      userField="cn"

Friday, July 20, 2012

Mapping Kerberos principal to existing eDirectory user


To create kerberos principal for existing eDirectory user, we need to export the user data from ldap using the tool from http://ldapwiki.willeke.com/wiki/DumpEdirectoryPasswordInformationTool. This tool should be executed using ldap user which has permission to see universal password.

Example:

java -jar DumpPasswordInformation.jar -h ldap.company.com -Z SSL -p 636 -D cn=admin,o=novell -w adminpassword -dvAL -b "ou=people,o=novell"

The tool will create output in the file dumppasswordinformation.ldif.
The following script will read from above ldif file and map the existing user with the kerberos principal. This script uses keytab from admin/admin kerberos principal with filename admin.keytab

Tuesday, July 10, 2012

Single Sign On (SSO) with Novell Client and Shibboleth


Server requirement:
  1. Novell eDirectory + LDAP.
  2. Kerberos Server.
  3. Shibboleth IDP with Kerberos Auth Plugin.

Client requirement:

  1. Kerberos Client.
  2. Novell Client.
  3. Mozilla Firefox. (Tested browser)

Tested Structure:


SSO Structure