# Shibboleth For Plone

**Updated as of June 25th, 2010**

<span class="caps">UCLA</span> Shibboleth 2.1+ Guides:

[Installation guide](https://spaces.ais.ucla.edu/display/iamuclabetadocs/ShibSP2InstallGuideBeta "Installation guide")

[Configuration guide](https://spaces.ais.ucla.edu/display/iamuclabetadocs/ShibSP2ConfigurationGuide "Configuration guide")

Follow up with installation of WebServerAuth: [http://plone.org/products/webserverauth](http://plone.org/products/webserverauth)

*Does “(null)” show up instead of the login name in Plone when all is said and done?*

Head over to your Apache <span class="caps">SSL</span> configuration (/etc/httpd/conf.d/ssl.conf) and modify your RequestHeader setting of X\_REMOTE\_USER to utilize the Shibboleth attribute you desire:

@RequestHeader set X\_REMOTE\_USER %{SHIBUCLALOGONID}e  
@

**The most up to date instructions for the Shibboleth plug-ins for Plone are available from Ithaka.org:**

[http://tid.ithaka.org/shibplone.pdf](http://tid.ithaka.org/shibplone.pdf)

**Here are older ones**

Thanks to Alan Brenner for creating these plug-ins and all the help.   
[http://tid.ithaka.org/software](http://tid.ithaka.org/software)

Thanks to Datta Mahabalagiri at <span class="caps">UCLA</span> <span class="caps">AIS</span>

All my paths to files are for OS X

Please connect your Service Provider to [www.testshib.org](https://www.testshib.org/) to make sure your installation is solid before connecting to <span class="caps">UCLA</span>

native.logger and shibd.logger should be set to <span class="caps">DEBUG</span> instead of <span class="caps">INFO</span>…

[Native Logger](http://www.psych.ucla.edu/shibfiles/native.logger)  
[Shibd Logger](http://www.psych.ucla.edu/shibfiles/shibd.logger)

they are located here:

/opt/shibboleth-sp/etc/shibboleth/shibd.logger  
/opt/shibboleth-sp/etc/shibboleth/native.logger

…for the log files located here

/opt/shibboleth-sp/var/log/httpd/native.log  
/opt/shibboleth-sp/var/log/shibboleth/shibd.log

Check that you have the correct Attribute Acceptance Policy for the <span class="caps">UCLA</span> Identity Provider  
/opt/shibboleth-sp/etc/shibboleth/<span class="caps">AAP</span>.xml

[<span class="caps">AAP</span>.xml](http://www.psych.ucla.edu/shibfiles/AAP.xml)

Verify you have the correct metadata for the <span class="caps">UCLA</span> Identity Provider  
/opt/shibboleth-sp/etc/shibboleth/ucla-metadata.xml

[<span class="caps">UCLA</span> Metadata](http://www.psych.ucla.edu/shibfiles/ucla-metadata.xml)

mine is in the md namespace

Setup your Shibboleth.xml like so:  
[shibboleth.xml](http://www.psych.ucla.edu/shibfiles/shibboleth.xml)

here is my example vhost in my httpd.conf, it isn’t that pretty.

[vhost.conf](http://www.psych.ucla.edu/shibfiles/vhost.conf)

or check out what Alan Brenner did

[Alan’s Vhost](http://tid.ithaka.org/software/autousermakerpasplugin)

Make sure your Service Provider is receiving attributes correctly though a simple phpinfo() page or this page that can display Shibboleth attributes

Here is mine  
[https://test.psych.ucla.edu/secure/](https://test.psych.ucla.edu/secure/)

Here is the code I found on google  
[Check Attributes Page](http://www.psych.ucla.edu/shibfiles/checkattrib.php.txt)

First Install

ApachePAS plugin  
[http://plone.org/products/apachepas](http://plone.org/products/apachepas)

Then Install the Shib Plugins

AutoUserMakerPASPlugin  
ShibbolethLogin  
ShibbolethPermissions

from here

[http://tid.ithaka.org/software](http://tid.ithaka.org/software)

configure AutoUserMakerPASPlugin in the <span class="caps">ZMI</span> at /psych/acl\_users/AutoUserMakerPASPlugin to look like this  
[http://www.psych.ucla.edu/shibfiles/autouserconf.jpg](http://www.psych.ucla.edu/shibfiles/autouserconf.jpg)

I’m only using the first two HTTP\_REMOTE\_USER1 and HTTP\_SHIB\_DISPLAYNAME you can ignore the rest of the “User Setup Headers”

make sure you put whavever “User Setup Headers” you are using down below in the “User Mapping Headers”

Configure Shibboleth Login at /psych/acl\_users/ShibbolethLogin to look like this  
[http://www.psych.ucla.edu/shibfiles/shibloginconf.jpg](http://www.psych.ucla.edu/shibfiles/shibloginconf.jpg)

When you login to your site select the “Log in with a <span class="caps">UCLA</span> user id” link

That’s it. Kinda rough.

I don’t have a logout function yet.

I haven’t gotten around to using ShibbolethPermissions yet but maybe this might get you going:  
[http://tid.ithaka.org/software/shibbolethpermissions/](http://tid.ithaka.org/software/shibbolethpermissions/)

Gotcha’s  
“Session Creation Failure” errors were from having the wrong SessionInitiator in my shibboleth.xml

“Rejected Replayed Assertion ID” were from incorrect Host and Path in the RequestMapProvider

Good Luck