Shibboleth For Plone
Updated as of June 25th, 2010
UCLA Shibboleth 2.1+ Guides:
Follow up with installation of WebServerAuth: http://plone.org/products/webserverauth
Does “(null)” show up instead of the login name in Plone when all is said and done?
Head over to your Apache SSL configuration (/etc/httpd/conf.d/ssl.conf) and modify your RequestHeader setting of X_REMOTE_USER to utilize the Shibboleth attribute you desire:
@RequestHeader set X_REMOTE_USER %{SHIBUCLALOGONID}e
@
The most up to date instructions for the Shibboleth plug-ins for Plone are available from Ithaka.org:
http://tid.ithaka.org/shibplone.pdf
Here are older ones
Thanks to Alan Brenner for creating these plug-ins and all the help.
http://tid.ithaka.org/software
Thanks to Datta Mahabalagiri at UCLA AIS
All my paths to files are for OS X
Please connect your Service Provider to www.testshib.org to make sure your installation is solid before connecting to UCLA
native.logger and shibd.logger should be set to DEBUG instead of INFO…
they are located here:
/opt/shibboleth-sp/etc/shibboleth/shibd.logger
/opt/shibboleth-sp/etc/shibboleth/native.logger
…for the log files located here
/opt/shibboleth-sp/var/log/httpd/native.log
/opt/shibboleth-sp/var/log/shibboleth/shibd.log
Check that you have the correct Attribute Acceptance Policy for the UCLA Identity Provider
/opt/shibboleth-sp/etc/shibboleth/AAP.xml
Verify you have the correct metadata for the UCLA Identity Provider
/opt/shibboleth-sp/etc/shibboleth/ucla-metadata.xml
mine is in the md namespace
Setup your Shibboleth.xml like so:
shibboleth.xml
here is my example vhost in my httpd.conf, it isn’t that pretty.
or check out what Alan Brenner did
Make sure your Service Provider is receiving attributes correctly though a simple phpinfo() page or this page that can display Shibboleth attributes
Here is mine
https://test.psych.ucla.edu/secure/
Here is the code I found on google
Check Attributes Page
First Install
ApachePAS plugin
http://plone.org/products/apachepas
Then Install the Shib Plugins
AutoUserMakerPASPlugin
ShibbolethLogin
ShibbolethPermissions
from here
http://tid.ithaka.org/software
configure AutoUserMakerPASPlugin in the ZMI at /psych/acl_users/AutoUserMakerPASPlugin to look like this
http://www.psych.ucla.edu/shibfiles/autouserconf.jpg
I’m only using the first two HTTP_REMOTE_USER1 and HTTP_SHIB_DISPLAYNAME you can ignore the rest of the “User Setup Headers”
make sure you put whavever “User Setup Headers” you are using down below in the “User Mapping Headers”
Configure Shibboleth Login at /psych/acl_users/ShibbolethLogin to look like this
http://www.psych.ucla.edu/shibfiles/shibloginconf.jpg
When you login to your site select the “Log in with a UCLA user id” link
That’s it. Kinda rough.
I don’t have a logout function yet.
I haven’t gotten around to using ShibbolethPermissions yet but maybe this might get you going:
http://tid.ithaka.org/software/shibbolethpermissions/
Gotcha’s
“Session Creation Failure” errors were from having the wrong SessionInitiator in my shibboleth.xml
“Rejected Replayed Assertion ID” were from incorrect Host and Path in the RequestMapProvider
Good Luck