Shibboleth For Plone

Updated as of June 25th, 2010

UCLA Shibboleth 2.1+ Guides:

Installation guide

Configuration guide

Follow up with installation of WebServerAuth: http://plone.org/products/webserverauth

Does “(null)” show up instead of the login name in Plone when all is said and done?

Head over to your Apache SSL configuration (/etc/httpd/conf.d/ssl.conf) and modify your RequestHeader setting of X_REMOTE_USER to utilize the Shibboleth attribute you desire:

@RequestHeader set X_REMOTE_USER %{SHIBUCLALOGONID}e
@

The most up to date instructions for the Shibboleth plug-ins for Plone are available from Ithaka.org:

http://tid.ithaka.org/shibplone.pdf

Here are older ones

Thanks to Alan Brenner for creating these plug-ins and all the help.
http://tid.ithaka.org/software

Thanks to Datta Mahabalagiri at UCLA AIS

All my paths to files are for OS X

Please connect your Service Provider to www.testshib.org to make sure your installation is solid before connecting to UCLA

native.logger and shibd.logger should be set to DEBUG instead of INFO

Native Logger
Shibd Logger

they are located here:

/opt/shibboleth-sp/etc/shibboleth/shibd.logger
/opt/shibboleth-sp/etc/shibboleth/native.logger

…for the log files located here

/opt/shibboleth-sp/var/log/httpd/native.log
/opt/shibboleth-sp/var/log/shibboleth/shibd.log

Check that you have the correct Attribute Acceptance Policy for the UCLA Identity Provider
/opt/shibboleth-sp/etc/shibboleth/AAP.xml

AAP.xml

Verify you have the correct metadata for the UCLA Identity Provider
/opt/shibboleth-sp/etc/shibboleth/ucla-metadata.xml

UCLA Metadata

mine is in the md namespace

Setup your Shibboleth.xml like so:
shibboleth.xml

here is my example vhost in my httpd.conf, it isn’t that pretty.

vhost.conf

or check out what Alan Brenner did

Alan’s Vhost

Make sure your Service Provider is receiving attributes correctly though a simple phpinfo() page or this page that can display Shibboleth attributes

Here is mine
https://test.psych.ucla.edu/secure/

Here is the code I found on google
Check Attributes Page

First Install

ApachePAS plugin
http://plone.org/products/apachepas

Then Install the Shib Plugins

AutoUserMakerPASPlugin
ShibbolethLogin
ShibbolethPermissions

from here

http://tid.ithaka.org/software

configure AutoUserMakerPASPlugin in the ZMI at /psych/acl_users/AutoUserMakerPASPlugin to look like this
http://www.psych.ucla.edu/shibfiles/autouserconf.jpg

I’m only using the first two HTTP_REMOTE_USER1 and HTTP_SHIB_DISPLAYNAME you can ignore the rest of the “User Setup Headers”

make sure you put whavever “User Setup Headers” you are using down below in the “User Mapping Headers”

Configure Shibboleth Login at /psych/acl_users/ShibbolethLogin to look like this
http://www.psych.ucla.edu/shibfiles/shibloginconf.jpg

When you login to your site select the “Log in with a UCLA user id” link

That’s it. Kinda rough.

I don’t have a logout function yet.

I haven’t gotten around to using ShibbolethPermissions yet but maybe this might get you going:
http://tid.ithaka.org/software/shibbolethpermissions/

Gotcha’s
“Session Creation Failure” errors were from having the wrong SessionInitiator in my shibboleth.xml

“Rejected Replayed Assertion ID” were from incorrect Host and Path in the RequestMapProvider

Good Luck

Back to top